{ "type": "URL", "indicator": "https://developers.cloudfiare.com/support/troubleshooting/http-status-", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://developers.cloudfiare.com/support/troubleshooting/http-status-", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4071328424, "indicator": "https://developers.cloudfiare.com/support/troubleshooting/http-status-", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69aa41b0d714318bf8937184", "name": "Credit Q.Vashti, Title [.Net Obfuscater] clone", "description": "", "modified": "2026-04-25T07:06:03.966000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916dc43beba2f3839fd7c36", "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com", "description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix", "modified": "2025-12-14T05:04:31.480000", "created": "2025-11-14T07:37:39.794000", "tags": [ "gmt content", "related tags", "found title", "cache control", "x request", "runtime", "vary", "reverse dns", "ashburn", "resource", "verdict", "address", "read c", "unicode", "high", "memcommit", "delete", "dock", "write", "execution", "next associated", "server response", "port", "destination", "crlf line", "malware", "png image", "rgba", "united states", "medium", "encrypt", "america", "msie", "unknown", "present jan", "name servers", "present oct", "present may", "present mar", "present dec", "present nov", "united", "present apr", "present jun", "urls show", "url hostname", "ip address", "google safe", "results jun", "canada unknown", "passive dns", "canada", "meta name", "robots content", "x ua", "ieedge chrome1", "twitter", "chrome", "urls", "files", "asn as13335", "dns resolutions", "trojan", "trojanspy", "win32", "title", "servers", "unknown ns", "domain", "present aug", "present sep", "files domain", "files related", "none google", "safe browsing", "unknown aaaa", "moved", "cloudfront x", "meta", "ip whois", "registrar", "hostname", "files ip", "ipv4 add", "location united", "america flag", "america asn", "present jul", "virtool", "record value", "dnssec", "meta http", "content", "gmt server", "litespeed x", "present feb", "write c", "as62597 nsone", "as16509", "module load", "t1129", "service", "dynamicloader", "windows", "tofsee", "stream", "hostile", "win64", "delete c", "all ipv4", "url analysis", "status", "error", "aaaa", "ireland unknown", "asn as14618", "backdoor", "a domains", "russia", "mtb nov", "ransom", "displayname", "push", "yara rule", "loaderid", "lidfileupd", "localcfg", "rndhex", "rndchar", "checks", "checks system", "filehash", "av detections", "ids detections", "yara detections", "learn", "command", "adversaries", "ck id", "name tactics", "suspicious", "informative", "spawns", "found", "ssl certificate", "flag", "server", "cloudflare", "csc corporate", "domains", "fireeye", "contacted hosts", "mitre att", "pattern match", "ck matrix", "hybrid", "local", "path", "click", "strings", "foundry", "josht.ca", "paid parking", "parking crews" ], "references": [ "Fireye - FEDNS1.FIREEYE.COM", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://p2d.josht.ca/assets/content-delivery/depots/download", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "https://p2d.josht.ca/api/depots/info/?depot=", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "and our limited information, is Daisy a victim or a crisis actor?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7617, "domain": 1127, "hostname": 3591, "email": 9, "FileHash-SHA256": 1160, "FileHash-MD5": 481, "FileHash-SHA1": 404, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 14403, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893eee9bf1b30e08d1a6d8e", "name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood", "description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.", "modified": "2025-09-05T23:02:52.811000", "created": "2025-08-07T00:10:17.696000", "tags": [ "address google", "safe browsing", "united", "typeof", "passive dns", "body doctype", "nreum", "date", "gmt server", "apache x", "cnection", "content type", "span", "ok transfer", "encoding", "x powered", "unknown soa", "unknown ns", "showing", "entries", "next associated", "urls show", "body", "encrypt", "search", "ip address", "creation date", "record value", "present jul", "present may", "present apr", "certificate", "present aug", "present feb", "present dec", "present nov", "error", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "august", "hybrid", "general", "local", "path", "click", "strings", "itre att", "accept", "sha256", "size", "type data", "utf8 text", "document file", "flag", "server", "european union", "name server", "tor analysis", "dns requests", "domain address", "ii llc", "windir", "openurl c", "prefetch2", "show process", "ogoogle trust", "network traffic", "organization", "elton avundano", "object", "title object", "header http2", "returnurl", "texas", "rsa ov", "ssl ca", "status", "australia", "netherlands", "urls", "gmt path", "hostname add", "pulse submit", "present oct", "e safe", "results jul", "response ip", "present jan", "name servers", "verdict", "domain", "files ip", "address domain", "xhr start", "xhr load", "aaaa", "read c", "show", "port", "destination", "high", "delete", "outbound m3", "copy", "write", "persistence", "execution", "malware", "generic", "unknown", "present mar", "dynamicloader", "wine emulator", "dynamic", "medium", "read", "associated urls", "date checked", "url hostname", "server response", "google safe", "dnssec", "domain name", "solutions", "llc status", "next passive", "dns status", "hostname query", "files show", "date hash", "avast avg", "overview ip", "address", "related nids", "files location", "flag united", "hostname", "files domain", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "virtool", "win64", "defense evasion", "t1480 execution", "file defense", "null", "refresh", "tools", "look", "verify", "restart", "file discovery", "utf8", "crlf line", "a domains", "script urls", "link", "unknown aaaa", "meta", "atom", "results jan", "present", "present sep", "akamai", "asn as16625", "less whois", "registrar", "http", "france flag", "france hostname", "files related", "url analysis", "files", "location france", "detailed error", "sec ch", "ch ua", "ua full", "ua platform", "moved", "name", "perfect privacy", "error jul", "next related", "domains show", "domain related", "url add", "pulse pulses", "hosting", "reverse dns", "france asn", "as16276", "dns resolutions", "datacenter", "regopenkeyexa", "regsetvalueexa", "windows nt", "regdword", "hostile", "service", "delphi", "next", "pulses none", "related tags", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "review", "data upload", "extraction", "khtml", "gecko", "olet", "cnlet", "tlsv1", "hacktool", "push", "ms windows", "intel", "pe32", "users", "precreate read", "ransom", "code", "installer", "june", "media", "autorun", "next yara", "detections name", "aspackv2xxx", "eu alexey", "alerts", "pe file", "filehash", "sha256 add", "av detections", "ids detections", "yara detections", "analysis date", "april", "packing t1045", "t1045", "t1060", "registry run", "keys", "user execution", "icmp traffic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1132, "URL": 6245, "hostname": 2264, "FileHash-SHA256": 1857, "FileHash-SHA1": 491, "email": 9, "FileHash-MD5": 573, "SSLCertFingerprint": 16 }, "indicator_count": 12587, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "According to accounts she was afraid for her life , found to be safe then took her own life?", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "and our limited information, is Daisy a victim or a crisis actor?", "https://www.red-gate.com/products/smartassembly", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "Fireye - FEDNS1.FIREEYE.COM", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://p2d.josht.ca/api/depots/info/?depot=", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "http://p2d.josht.ca/assets/content-delivery/depots/download", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it.", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Other malware", "Virtool:msil/injector.bf", "Elf:mirai-gh\\ [trj]", "Unix.dropper.mirai-7135870-0", "Ransomware" ], "industries": [], "unique_indicators": 41725 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudfiare.com", "whois": "http://whois.domaintools.com/cloudfiare.com", "domain": "cloudfiare.com", "hostname": "developers.cloudfiare.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69aa41b0d714318bf8937184", "name": "Credit Q.Vashti, Title [.Net Obfuscater] clone", "description": "", "modified": "2026-04-25T07:06:03.966000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916dc43beba2f3839fd7c36", "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com", "description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix", "modified": "2025-12-14T05:04:31.480000", "created": "2025-11-14T07:37:39.794000", "tags": [ "gmt content", "related tags", "found title", "cache control", "x request", "runtime", "vary", "reverse dns", "ashburn", "resource", "verdict", "address", "read c", "unicode", "high", "memcommit", "delete", "dock", "write", "execution", "next associated", "server response", "port", "destination", "crlf line", "malware", "png image", "rgba", "united states", "medium", "encrypt", "america", "msie", "unknown", "present jan", "name servers", "present oct", "present may", "present mar", "present dec", "present nov", "united", "present apr", "present jun", "urls show", "url hostname", "ip address", "google safe", "results jun", "canada unknown", "passive dns", "canada", "meta name", "robots content", "x ua", "ieedge chrome1", "twitter", "chrome", "urls", "files", "asn as13335", "dns resolutions", "trojan", "trojanspy", "win32", "title", "servers", "unknown ns", "domain", "present aug", "present sep", "files domain", "files related", "none google", "safe browsing", "unknown aaaa", "moved", "cloudfront x", "meta", "ip whois", "registrar", "hostname", "files ip", "ipv4 add", "location united", "america flag", "america asn", "present jul", "virtool", "record value", "dnssec", "meta http", "content", "gmt server", "litespeed x", "present feb", "write c", "as62597 nsone", "as16509", "module load", "t1129", "service", "dynamicloader", "windows", "tofsee", "stream", "hostile", "win64", "delete c", "all ipv4", "url analysis", "status", "error", "aaaa", "ireland unknown", "asn as14618", "backdoor", "a domains", "russia", "mtb nov", "ransom", "displayname", "push", "yara rule", "loaderid", "lidfileupd", "localcfg", "rndhex", "rndchar", "checks", "checks system", "filehash", "av detections", "ids detections", "yara detections", "learn", "command", "adversaries", "ck id", "name tactics", "suspicious", "informative", "spawns", "found", "ssl certificate", "flag", "server", "cloudflare", "csc corporate", "domains", "fireeye", "contacted hosts", "mitre att", "pattern match", "ck matrix", "hybrid", "local", "path", "click", "strings", "foundry", "josht.ca", "paid parking", "parking crews" ], "references": [ "Fireye - FEDNS1.FIREEYE.COM", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://p2d.josht.ca/assets/content-delivery/depots/download", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "https://p2d.josht.ca/api/depots/info/?depot=", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "and our limited information, is Daisy a victim or a crisis actor?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7617, "domain": 1127, "hostname": 3591, "email": 9, "FileHash-SHA256": 1160, "FileHash-MD5": 481, "FileHash-SHA1": 404, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 14403, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893eee9bf1b30e08d1a6d8e", "name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood", "description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.", "modified": "2025-09-05T23:02:52.811000", "created": "2025-08-07T00:10:17.696000", "tags": [ "address google", "safe browsing", "united", "typeof", "passive dns", "body doctype", "nreum", "date", "gmt server", "apache x", "cnection", "content type", "span", "ok transfer", "encoding", "x powered", "unknown soa", "unknown ns", "showing", "entries", "next associated", "urls show", "body", "encrypt", "search", "ip address", "creation date", "record value", "present jul", "present may", "present apr", "certificate", "present aug", "present feb", "present dec", "present nov", "error", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "august", "hybrid", "general", "local", "path", "click", "strings", "itre att", "accept", "sha256", "size", "type data", "utf8 text", "document file", "flag", "server", "european union", "name server", "tor analysis", "dns requests", "domain address", "ii llc", "windir", "openurl c", "prefetch2", "show process", "ogoogle trust", "network traffic", "organization", "elton avundano", "object", "title object", "header http2", "returnurl", "texas", "rsa ov", "ssl ca", "status", "australia", "netherlands", "urls", "gmt path", "hostname add", "pulse submit", "present oct", "e safe", "results jul", "response ip", "present jan", "name servers", "verdict", "domain", "files ip", "address domain", "xhr start", "xhr load", "aaaa", "read c", "show", "port", "destination", "high", "delete", "outbound m3", "copy", "write", "persistence", "execution", "malware", "generic", "unknown", "present mar", "dynamicloader", "wine emulator", "dynamic", "medium", "read", "associated urls", "date checked", "url hostname", "server response", "google safe", "dnssec", "domain name", "solutions", "llc status", "next passive", "dns status", "hostname query", "files show", "date hash", "avast avg", "overview ip", "address", "related nids", "files location", "flag united", "hostname", "files domain", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "virtool", "win64", "defense evasion", "t1480 execution", "file defense", "null", "refresh", "tools", "look", "verify", "restart", "file discovery", "utf8", "crlf line", "a domains", "script urls", "link", "unknown aaaa", "meta", "atom", "results jan", "present", "present sep", "akamai", "asn as16625", "less whois", "registrar", "http", "france flag", "france hostname", "files related", "url analysis", "files", "location france", "detailed error", "sec ch", "ch ua", "ua full", "ua platform", "moved", "name", "perfect privacy", "error jul", "next related", "domains show", "domain related", "url add", "pulse pulses", "hosting", "reverse dns", "france asn", "as16276", "dns resolutions", "datacenter", "regopenkeyexa", "regsetvalueexa", "windows nt", "regdword", "hostile", "service", "delphi", "next", "pulses none", "related tags", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "review", "data upload", "extraction", "khtml", "gecko", "olet", "cnlet", "tlsv1", "hacktool", "push", "ms windows", "intel", "pe32", "users", "precreate read", "ransom", "code", "installer", "june", "media", "autorun", "next yara", "detections name", "aspackv2xxx", "eu alexey", "alerts", "pe file", "filehash", "sha256 add", "av detections", "ids detections", "yara detections", "analysis date", "april", "packing t1045", "t1045", "t1060", "registry run", "keys", "user execution", "icmp traffic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1132, "URL": 6245, "hostname": 2264, "FileHash-SHA256": 1857, "FileHash-SHA1": 491, "email": 9, "FileHash-MD5": 573, "SSLCertFingerprint": 16 }, "indicator_count": 12587, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://developers.cloudfiare.com/support/troubleshooting/http-status-", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://developers.cloudfiare.com/support/troubleshooting/http-status-", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780388807.6589985 }