{ "type": "URL", "indicator": "https://ds1.dirtsearch.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ds1.dirtsearch.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3734037770, "indicator": "https://ds1.dirtsearch.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "6a040bf64fe2efef00132467", "name": "AWS.DEV | Ransom REevil | MaaS -Mirai , Makop , Sodinokibi | 6.13.25 Appears ti be ongoing ", "description": "", "modified": "2026-05-13T05:28:22.199000", "created": "2026-05-13T05:28:22.199000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "684cad9bc64e61ae0e6df4c1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a040afa13cf077fedd59f36", "name": "Ransom REevil | AWS.DEV | MaaS -Mirai , Makop , Sodinokibi , FlyStudio + Campaign| Appears to be ongoing ", "description": "", "modified": "2026-05-13T05:24:10.262000", "created": "2026-05-13T05:24:10.262000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "684cad9bc64e61ae0e6df4c1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d5d33d16ab7837e23bc01", "name": "howmanyofme.com - Packed | Palantir", "description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme", "modified": "2025-09-18T23:05:18.490000", "created": "2025-07-20T21:18:43.974000", "tags": [ "united", "unknown ns", "a domains", "ip address", "search", "privacy service", "fbo registrant", "date", "entries", "how many", "destination", "port", "windows nt", "msie", "unknown", "et trojan", "poodle attack", "policy sslv3", "united kingdom", "suspicious", "copy", "virustotal", "malware", "write", "hostile", "next", "triton", "super node", "get reloaded", "x11 snf", "png image", "rgba", "post reloaded", "ascii text", "crlf line", "gnu message", "ms windows", "intel", "pe32", "host", "get babylon", "show", "babylon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7185, "domain": 706, "hostname": 1906, "email": 5, "FileHash-SHA256": 3645, "FileHash-MD5": 330, "FileHash-SHA1": 135, "CVE": 1 }, "indicator_count": 13913, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684cad9bc64e61ae0e6df4c1", "name": "Ransom REevil | AWS.DEV | MaaS", "description": "Malicious campaigners paid to target specific groups and individuals. Large ongoing operation.", "modified": "2025-07-13T22:02:31.447000", "created": "2025-06-13T23:00:43.338000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684c8fcde05dacb07f1a202e", "name": "Payment - Ref Id- H3426584.doc (aws.dev) Emotet", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:53:33.231000", "tags": [ "learn more", "added active", "related pulses", "emotet", "malware", "get http", "dns resolutions", "resolved ips", "post http", "ua71173394", "ip address", "status code", "body length", "kb body", "media sharing", "known infection source", "spyware", "real estate", "compromised websites", "malware sites", "huge domains", "parking crew", "business", "malware service", "mas", "aws", "dev", "false", "error", "url https", "url http", "indicator role", "title added", "active related", "pulses", "showing", "entries", "sha256", "ttl value", "first", "privacy admin", "domain status", "redacted for", "server", "admin city", "country", "organization", "postal code", "stateprovince", "date", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "algorithm", "cus olet", "encrypt cnr11", "validity", "subject public", "dirtsearch", "dns" ], "references": [ "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c", "The sandbox Zenbox flags this file as: EVADER", "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT", "IDS: Matches rule SURICATA STREAM Packet with invalid ack", "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack", "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs", "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs", "Dr. Web known infection source", "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)", "Xcitium Verdict Cloud government & legal - https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal", "Verdict: Defense Law Firm | malicious tools / agitators" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Doc.Downloader.Emotet-7196349-0", "display_name": "Doc.Downloader.Emotet-7196349-0", "target": null }, { "id": "vb:Trojan.Agent.EEZZ", "display_name": "vb:Trojan.Agent.EEZZ", "target": null }, { "id": "trojan.w97m/emotetdldr", "display_name": "trojan.w97m/emotetdldr", "target": null }, { "id": "Troj/DocDl-SOK", "display_name": "Troj/DocDl-SOK", "target": null }, { "id": "Static AI - Malicious OLE", "display_name": "Static AI - Malicious OLE", "target": null }, { "id": "Trojan.W97M.POWLOAD.SMRV08", "display_name": "Trojan.W97M.POWLOAD.SMRV08", "target": null } ], "attack_ids": [ { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 44, "FileHash-SHA256": 117, "URL": 47, "domain": 41, "hostname": 43 }, "indicator_count": 329, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684c792c7a89d98470ecef31", "name": "aws.dev - Emotet - Hub for malicious activity", "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior", "modified": "2025-07-13T18:02:18.648000", "created": "2025-06-13T19:17:00.818000", "tags": [ "united", "creation date", "search", "entries", "passive dns", "urls", "showing", "pulse pulses", "files", "domain", "dnssec", "expiration date", "unknown cname", "hostname add", "date", "redacted for", "email", "code", "organization", "privacy billing", "privacy tech", "postal code", "privacy admin", "com laude", "ltd dba", "nomiq", "limited dba", "admin city", "country", "stateprovince", "city", "mtb oct", "win32", "next associated", "mtb mar", "ipv4 add", "trojan", "apanas", "ransom", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1111, "hostname": 1014, "URL": 2554, "FileHash-SHA256": 1461, "FileHash-MD5": 64, "email": 6, "FileHash-SHA1": 63 }, "indicator_count": 6273, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d4916fa7338286448118a1", "name": "Jeffrey Scott Reimer DPT | Brian Sabey, SWIPPER -X.Com migration to Twitter ", "description": "", "modified": "2024-10-19T18:02:34.237000", "created": "2024-09-01T16:08:15.260000", "tags": [ "url https", "filehashsha256", "browse scan", "report spam", "author", "output", "tsara brashears", "created", "days ago", "showing", "trojan", "win32", "msil", "trojanspy", "virtool", "scan endpoints", "all search", "otx scoreblue", "author avatar", "fraud", "june", "worm", "search", "tsara type", "indicator role", "title added", "active related", "pulses url", "url http", "ipv6", "type indicator", "role title", "added active", "related pulses", "sort", "least", "researched", "f https", "scan", "iocs", "learn more", "filehashmd5", "hostname", "domain", "indicators show", "browser", "unsupported", "view", "continue", "watch tsara", "searchtsa", "brashears", "most relevant", "porn videos", "download", "google search", "open threat", "babe", "green", "daily", "play", "fullscreen", "tsara", "videos", "love", "top tsara", "xxx videos", "hardcore porn", "jeffrey reimer", "puts", "porn", "javascript", "body", "creation date", "record value", "united", "gmt content", "gmt max", "age900", "httponly x", "date", "unknown", "pragma", "levelblue", "exchange open", "threat exchange", "indicator", "safebae", "get involved", "anyone else", "press", "data reports", "teen students", "become", "chapter lead", "become a", "certified peer", "district", "brian sabey", "sabey data", "hallrender", "sabey data centers", "swipper", "mark b sabey", "m brian sabey", "2beeg", "thebrotherssabey", "urls", "show", "cloudflarenet", "us urlscan", "skip", "accessibility", "all images", "videos shopping", "forums news", "web more", "tools", "service", "malicious", "size", "recent", "off blur", "find", "summary", "securitytrails", "urlscan https", "tryporn", "icann whois", "data problem", "disclaimer", "judaporn", "kompoz", "blur filter", "search results", "xxxvideohd", "hacker news", "item", "url", "website", "web", "scanner", "analyze", "analyzer", "september", "domains", "sale worldwide", "street", "gate parkway", "stateprovince", "postal code", "route", "open", "watch", "links", "footer", "delete see", "delete c", "tofsee", "grum", "entries", "cape", "high", "total", "copy", "write", "malware", "patched", "next", "please" ], "references": [ "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://SafeBae.org | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1", "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html billpay.stcu.org", "bfxxxhindi.to www.bfxxxhindi.to https://www.bfxxxhindi.to tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://alohatube.xyz/search/tsara-brashears http://alohatube.xyz/search/tsara-brashears/", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html", "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html", "http://pornbitter.com/storage/tsara-brashears/ http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru", "http://browntubeporn.com/tsara-brashears.html browntubeporn.com http://pornvideoj.com/tsara-brashears.htm", "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian", "feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us www.tryporn.net", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info", "http://www.tryporn.net/seach/tsara-brashears/ hicksandchicks.org redpornvideos.net http://advocate-smyslova.ru/tsara-brashears/", "http://flexporn.net/tsara-brashears.html http://onlyindianporn.net/videos/tsara-brashears/ http://pornbitter.com/storage/tsara-brashears/", "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html", "http://www.bukaporn.net/trend/tsara-brashears/ http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/ hlebo.mobi pornpx.com www.potnhub.org", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language http://www.music-forum.", "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ http://redpornvideos.net/tsara-brashears.html", "https://wallpapers-nature.com/ https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io https://www.sweetheartvideo.com/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net https://www.sweetheartvideo.com/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://xlxx.mobi phishing\thttps://2beeg.me https://2beeg.net https://www.redporn.video https://youjizz.sex 2beeg.me xlxx.mobi ladys.one", "tsara-brashears-deadspin-twitter-suspended-account-help.ht videolal.com wallpapers-nature.com www.sweetheartvideo.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ Domain mom2fuck.mobi https://youjizz.sex/tsara-brashears.html https://youjizz.sex", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news", "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ orangeporntube.net www.tryporno.net", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception http://pixelrz.com/lists/keywords/tsara-brashears-dead/ http://orangeporntube.net/tsara-brashears.html", "http://www.tryporno.net/movies/tsara-brashears/ http://www.pixelrz.com/lists/keywords/tsara-brashears/", "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ sexiezpics.com", "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/ http://pornohata.com/mov/tsara-brashears/", "http://onlyindianporn2.com/videos/tsara-brashears/ onlyindianporn2.com-porn.html aninditaannisa.blogspot.com porno-trash.net", "myhotzpic.com pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears", "http://pornstarsporno.net/tsara-brashears.html http://vtwctr.org/explore/inmate-tsara-brashears/", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html", "Hostname aninditaannisa.blogspot.com No Expiration\t0\t URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html billpay.stcu.org", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com", "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |", "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com", "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t URL http://server1.sabeydatacenters.com No Expiration\t0\t URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com", "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872", "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/", "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com", "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |", "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com", "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/", "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com", "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |", "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511", "1a8fc49a4265fe146976/1523680312 | https://thebrotherssabey.com/2018/04/22/the | https://thebrotherssabey.com/2019/07/08/suffering", "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697", "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com", "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why", "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun", "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |", "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge", "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton", "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy", "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com", "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/author/dbsabey/", "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D", "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter", "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:", "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/", "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html", "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236" ], "public": 1, "adversary": "Brian Sabey | Tulach | Sabey Data Centers", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win32/Tofsee.AX", "display_name": "Win32/Tofsee.AX", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1055.013", "name": "Process Doppelg\u00e4nging", "display_name": "T1055.013 - Process Doppelg\u00e4nging" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "66ccbd92f716bb0ca0fda93d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 116, "FileHash-SHA256": 935, "URL": 5882, "domain": 571, "hostname": 1418, "email": 9, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 9054, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6896d409a11f01d7eeb", "name": "Keyloggers", "description": "", "modified": "2023-12-06T16:51:21.700000", "created": "2023-12-06T16:51:21.700000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 84, "domain": 28, "FileHash-MD5": 209, "FileHash-SHA1": 123, "hostname": 101, "URL": 20 }, "indicator_count": 566, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709f71c6bd8f47a87bf64f", "name": "dirtsearch.org", "description": "", "modified": "2023-12-06T16:21:05.382000", "created": "2023-12-06T16:21:05.382000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 84, "domain": 28, "FileHash-MD5": 209, "FileHash-SHA1": 123, "hostname": 101, "URL": 20 }, "indicator_count": 566, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1aa3c6fa8fecdd6c8059", "name": "Keyloggers", "description": "", "modified": "2023-10-30T02:53:23.678000", "created": "2023-10-30T02:53:23.678000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "651345bec176120bb739fa07", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "hostname": 101, "URL": 20, "FileHash-MD5": 209, "FileHash-SHA1": 123, "FileHash-SHA256": 84, "CVE": 1 }, "indicator_count": 566, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f12efb1dd008ba954d035", "name": "Malvertizing Scam", "description": "", "modified": "2023-10-30T02:20:31.220000", "created": "2023-10-30T02:20:31.220000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65134180d25cca1e04cac49d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 5, "URL": 19 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f12523c3877e8ea065649", "name": "members.dirtsearch.org", "description": "", "modified": "2023-10-30T02:17:54.408000", "created": "2023-10-30T02:17:54.408000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6513448276a81ba7d3a926f1", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5, "domain": 1, "URL": 18 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651345bec176120bb739fa07", "name": "Keyloggers", "description": "", "modified": "2023-10-03T13:02:02.593000", "created": "2023-09-26T20:57:34.069000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d39e12cb684e7078a03ba6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "hostname": 101, "URL": 20, "FileHash-MD5": 209, "FileHash-SHA1": 123, "FileHash-SHA256": 84, "CVE": 1 }, "indicator_count": 566, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "971 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d39e12cb684e7078a03ba6", "name": "dirtsearch.org", "description": "Backdoor.Win32/Xtrat.A Possbile Plugin DownloadTrojan:Win32/Dorv.A\n, \nTrojan:Win32/QQPass\nNjRAT Trojans\nemotet\nskynet black Basta NeuroSky\nBotNetworks \nInfoStealer Password stealer passcode bypass malware spreaders dynamic\nDNS Query DNS\nNetwork Support RAT\nNetwork Compromise Command & Control \nTracking Radar \nKeyloggers \nSEO rollout\nMail exploit \nApple iOS 'hacktool'\nunlocks\n privilege escalation\n regulations privileges\niOS Apple iphones phishing\nApple phishing\nMitre Attacks\nAdult content generator\nMalware\ndroppers\nVirus\nAI\nAbuse", "modified": "2023-10-03T13:02:02.593000", "created": "2023-08-09T14:09:22.191000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "hostname": 101, "URL": 20, "FileHash-MD5": 209, "FileHash-SHA1": 123, "FileHash-SHA256": 84, "CVE": 1 }, "indicator_count": 566, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "971 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6513448276a81ba7d3a926f1", "name": "members.dirtsearch.org", "description": "", "modified": "2023-09-26T20:52:18.719000", "created": "2023-09-26T20:52:18.719000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d3a27097734b911a922ced", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5, "domain": 1, "URL": 18 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "977 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65134180d25cca1e04cac49d", "name": "Malvertizing Scam", "description": "", "modified": "2023-09-26T20:39:28.244000", "created": "2023-09-26T20:39:28.244000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d017e00eb39c76276716aa", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 5, "URL": 19 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "977 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651341123f71f3c2357def5b", "name": "Malware site", "description": "", "modified": "2023-09-26T20:37:38.419000", "created": "2023-09-26T20:37:38.419000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d015412fea1fcafd82cc73", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 5, "URL": 19 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "977 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d3a27097734b911a922ced", "name": "members.dirtsearch.org", "description": "Malware\nBot Network \nNetwork Compromise \nNjRAT \nemotet \nwannacry \n black basta\nSEO rollout\nNetwork Support RAT\nTrojans\nDroppers\nEvaders\nReputation Smearing Campaign\nMembers can login to privately spread false information about anyone that ranks high in Google search engine results \napple hacktools\nMitre Attaks\nCommand & Control\nTracking Radar\n InfoStealers\nKeyloggers\nSneaky Server removal\nReplace device interface\nAlt + Google\nAbuse\nBackdoor.Win32/Xtrat.A Possbile Plugin Download", "modified": "2023-08-09T14:28:00.553000", "created": "2023-08-09T14:28:00.553000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5, "domain": 1, "URL": 18 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "1026 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d017e00eb39c76276716aa", "name": "DirtSearch.org - Home", "description": "Malware\nEmotet, Skynet, Black Basta , NjRAT ,Trojans evaders, executables, entropy, NORAD Tracker,,Keylogger, login privileges , BotNet, Cybercrime, Cyberstalking, tagging, pornography promoting, Reflected Networks, alleged red hat, cyber security firm scammer, reputation smearing campaigns, beacons, remote Attacker , downloads executables remotely, Mitre attaks, command & control. Packed", "modified": "2023-08-06T22:00:00.417000", "created": "2023-08-06T22:00:00.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 5, "URL": 19 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "1028 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d015412fea1fcafd82cc73", "name": "Malware site", "description": "Emotet\nBlack Basta\nNjRAT\nInfoStealer Password stealer passcode bypass contact stealer\nremote Attacker unlocks your iPhone\nEscalation privliges \nBotNets\nSmear campaigns", "modified": "2023-08-06T21:48:49.844000", "created": "2023-08-06T21:48:49.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 5, "URL": 19 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "1028 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/ http://pornohata.com/mov/tsara-brashears/", "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html", "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com", "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html", "http://www.tryporn.net/seach/tsara-brashears/ hicksandchicks.org redpornvideos.net http://advocate-smyslova.ru/tsara-brashears/", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/", "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us www.tryporn.net", "https://wallpapers-nature.com/tsara-brashears/urlscan-io https://www.sweetheartvideo.com/tsara-brashears", "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal", "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter", "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com", "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c", "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net https://www.sweetheartvideo.com/tsara-brashears/", "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ sexiezpics.com", "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511", "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/", "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)", "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236", "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html", "myhotzpic.com pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t URL http://server1.sabeydatacenters.com No Expiration\t0\t URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com", "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com", "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering", "http://alohatube.xyz/search/tsara-brashears http://alohatube.xyz/search/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht videolal.com wallpapers-nature.com www.sweetheartvideo.com", "https://xlxx.mobi phishing\thttps://2beeg.me https://2beeg.net https://www.redporn.video https://youjizz.sex 2beeg.me xlxx.mobi ladys.one", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "http://pornstarsporno.net/tsara-brashears.html http://vtwctr.org/explore/inmate-tsara-brashears/", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com", "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "http://onlyindianporn2.com/videos/tsara-brashears/ onlyindianporn2.com-porn.html aninditaannisa.blogspot.com porno-trash.net", "1a8fc49a4265fe146976/1523680312 | https://thebrotherssabey.com/2018/04/22/the | https://thebrotherssabey.com/2019/07/08/suffering", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |", "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton", "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/", "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20", "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge", "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer", "http://pornbitter.com/storage/tsara-brashears/ http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru", "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian", "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs", "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/ hlebo.mobi pornpx.com www.potnhub.org", "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |", "Behaviour: Extract file to system directory", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html", "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html", "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack", "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom", "feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |", "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html billpay.stcu.org", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news", "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/", "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why", "http://www.tryporno.net/movies/tsara-brashears/ http://www.pixelrz.com/lists/keywords/tsara-brashears/", "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info", "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy", "Xcitium Verdict Cloud government & legal - https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "IDS: Matches rule SURICATA STREAM Packet with invalid ack", "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality", "https://SafeBae.org | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi", "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/", "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ http://redpornvideos.net/tsara-brashears.html", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/author/dbsabey/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ Domain mom2fuck.mobi https://youjizz.sex/tsara-brashears.html https://youjizz.sex", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ orangeporntube.net www.tryporno.net", "Dr. Web known infection source", "http://browntubeporn.com/tsara-brashears.html browntubeporn.com http://pornvideoj.com/tsara-brashears.htm", "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com", "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey", "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center", "Verdict: Defense Law Firm | malicious tools / agitators", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language http://www.music-forum.", "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception http://pixelrz.com/lists/keywords/tsara-brashears-dead/ http://orangeporntube.net/tsara-brashears.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "bfxxxhindi.to www.bfxxxhindi.to https://www.bfxxxhindi.to tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/", "Hostname aninditaannisa.blogspot.com No Expiration\t0\t URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html billpay.stcu.org", "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT", "The sandbox Zenbox flags this file as: EVADER", "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D", "http://www.bukaporn.net/trend/tsara-brashears/ http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra", "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com", "https://wallpapers-nature.com/ https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://flexporn.net/tsara-brashears.html http://onlyindianporn.net/videos/tsara-brashears/ http://pornbitter.com/storage/tsara-brashears/", "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Brian Sabey | Tulach | Sabey Data Centers" ], "malware_families": [ "Troj/docdl-sok", "Virus.neshta", "Win32/tofsee.ax", "Mirai", "Vb:trojan.agent.eezz", "Trojan/win32.bluecrab.r331768", "Ransom:win32/makop.pa!mtb", "Trojan.w97m.powload.smrv08", "Emotet", "Trojan:win32/muldrop", "Labeled as: ransom.sodinokibi.generic", "Trojan.w97m/emotetdldr", "Trojan.ransom.sodinokibi", "Static ai - malicious ole", "Doc.downloader.emotet-7196349-0", "Ransom_revil" ], "industries": [], "unique_indicators": 24692 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dirtsearch.org", "whois": "http://whois.domaintools.com/dirtsearch.org", "domain": "dirtsearch.org", "hostname": "ds1.dirtsearch.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "6a040bf64fe2efef00132467", "name": "AWS.DEV | Ransom REevil | MaaS -Mirai , Makop , Sodinokibi | 6.13.25 Appears ti be ongoing ", "description": "", "modified": "2026-05-13T05:28:22.199000", "created": "2026-05-13T05:28:22.199000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "684cad9bc64e61ae0e6df4c1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a040afa13cf077fedd59f36", "name": "Ransom REevil | AWS.DEV | MaaS -Mirai , Makop , Sodinokibi , FlyStudio + Campaign| Appears to be ongoing ", "description": "", "modified": "2026-05-13T05:24:10.262000", "created": "2026-05-13T05:24:10.262000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "684cad9bc64e61ae0e6df4c1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d5d33d16ab7837e23bc01", "name": "howmanyofme.com - Packed | Palantir", "description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme", "modified": "2025-09-18T23:05:18.490000", "created": "2025-07-20T21:18:43.974000", "tags": [ "united", "unknown ns", "a domains", "ip address", "search", "privacy service", "fbo registrant", "date", "entries", "how many", "destination", "port", "windows nt", "msie", "unknown", "et trojan", "poodle attack", "policy sslv3", "united kingdom", "suspicious", "copy", "virustotal", "malware", "write", "hostile", "next", "triton", "super node", "get reloaded", "x11 snf", "png image", "rgba", "post reloaded", "ascii text", "crlf line", "gnu message", "ms windows", "intel", "pe32", "host", "get babylon", "show", "babylon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7185, "domain": 706, "hostname": 1906, "email": 5, "FileHash-SHA256": 3645, "FileHash-MD5": 330, "FileHash-SHA1": 135, "CVE": 1 }, "indicator_count": 13913, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684cad9bc64e61ae0e6df4c1", "name": "Ransom REevil | AWS.DEV | MaaS", "description": "Malicious campaigners paid to target specific groups and individuals. Large ongoing operation.", "modified": "2025-07-13T22:02:31.447000", "created": "2025-06-13T23:00:43.338000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684c8fcde05dacb07f1a202e", "name": "Payment - Ref Id- H3426584.doc (aws.dev) Emotet", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:53:33.231000", "tags": [ "learn more", "added active", "related pulses", "emotet", "malware", "get http", "dns resolutions", "resolved ips", "post http", "ua71173394", "ip address", "status code", "body length", "kb body", "media sharing", "known infection source", "spyware", "real estate", "compromised websites", "malware sites", "huge domains", "parking crew", "business", "malware service", "mas", "aws", "dev", "false", "error", "url https", "url http", "indicator role", "title added", "active related", "pulses", "showing", "entries", "sha256", "ttl value", "first", "privacy admin", "domain status", "redacted for", "server", "admin city", "country", "organization", "postal code", "stateprovince", "date", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "algorithm", "cus olet", "encrypt cnr11", "validity", "subject public", "dirtsearch", "dns" ], "references": [ "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c", "The sandbox Zenbox flags this file as: EVADER", "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT", "IDS: Matches rule SURICATA STREAM Packet with invalid ack", "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack", "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs", "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs", "Dr. Web known infection source", "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)", "Xcitium Verdict Cloud government & legal - https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal", "Verdict: Defense Law Firm | malicious tools / agitators" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Doc.Downloader.Emotet-7196349-0", "display_name": "Doc.Downloader.Emotet-7196349-0", "target": null }, { "id": "vb:Trojan.Agent.EEZZ", "display_name": "vb:Trojan.Agent.EEZZ", "target": null }, { "id": "trojan.w97m/emotetdldr", "display_name": "trojan.w97m/emotetdldr", "target": null }, { "id": "Troj/DocDl-SOK", "display_name": "Troj/DocDl-SOK", "target": null }, { "id": "Static AI - Malicious OLE", "display_name": "Static AI - Malicious OLE", "target": null }, { "id": "Trojan.W97M.POWLOAD.SMRV08", "display_name": "Trojan.W97M.POWLOAD.SMRV08", "target": null } ], "attack_ids": [ { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 44, "FileHash-SHA256": 117, "URL": 47, "domain": 41, "hostname": 43 }, "indicator_count": 329, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684c792c7a89d98470ecef31", "name": "aws.dev - Emotet - Hub for malicious activity", "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior", "modified": "2025-07-13T18:02:18.648000", "created": "2025-06-13T19:17:00.818000", "tags": [ "united", "creation date", "search", "entries", "passive dns", "urls", "showing", "pulse pulses", "files", "domain", "dnssec", "expiration date", "unknown cname", "hostname add", "date", "redacted for", "email", "code", "organization", "privacy billing", "privacy tech", "postal code", "privacy admin", "com laude", "ltd dba", "nomiq", "limited dba", "admin city", "country", "stateprovince", "city", "mtb oct", "win32", "next associated", "mtb mar", "ipv4 add", "trojan", "apanas", "ransom", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1111, "hostname": 1014, "URL": 2554, "FileHash-SHA256": 1461, "FileHash-MD5": 64, "email": 6, "FileHash-SHA1": 63 }, "indicator_count": 6273, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d4916fa7338286448118a1", "name": "Jeffrey Scott Reimer DPT | Brian Sabey, SWIPPER -X.Com migration to Twitter ", "description": "", "modified": "2024-10-19T18:02:34.237000", "created": "2024-09-01T16:08:15.260000", "tags": [ "url https", "filehashsha256", "browse scan", "report spam", "author", "output", "tsara brashears", "created", "days ago", "showing", "trojan", "win32", "msil", "trojanspy", "virtool", "scan endpoints", "all search", "otx scoreblue", "author avatar", "fraud", "june", "worm", "search", "tsara type", "indicator role", "title added", "active related", "pulses url", "url http", "ipv6", "type indicator", "role title", "added active", "related pulses", "sort", "least", "researched", "f https", "scan", "iocs", "learn more", "filehashmd5", "hostname", "domain", "indicators show", "browser", "unsupported", "view", "continue", "watch tsara", "searchtsa", "brashears", "most relevant", "porn videos", "download", "google search", "open threat", "babe", "green", "daily", "play", "fullscreen", "tsara", "videos", "love", "top tsara", "xxx videos", "hardcore porn", "jeffrey reimer", "puts", "porn", "javascript", "body", "creation date", "record value", "united", "gmt content", "gmt max", "age900", "httponly x", "date", "unknown", "pragma", "levelblue", "exchange open", "threat exchange", "indicator", "safebae", "get involved", "anyone else", "press", "data reports", "teen students", "become", "chapter lead", "become a", "certified peer", "district", "brian sabey", "sabey data", "hallrender", "sabey data centers", "swipper", "mark b sabey", "m brian sabey", "2beeg", "thebrotherssabey", "urls", "show", "cloudflarenet", "us urlscan", "skip", "accessibility", "all images", "videos shopping", "forums news", "web more", "tools", "service", "malicious", "size", "recent", "off blur", "find", "summary", "securitytrails", "urlscan https", "tryporn", "icann whois", "data problem", "disclaimer", "judaporn", "kompoz", "blur filter", "search results", "xxxvideohd", "hacker news", "item", "url", "website", "web", "scanner", "analyze", "analyzer", "september", "domains", "sale worldwide", "street", "gate parkway", "stateprovince", "postal code", "route", "open", "watch", "links", "footer", "delete see", "delete c", "tofsee", "grum", "entries", "cape", "high", "total", "copy", "write", "malware", "patched", "next", "please" ], "references": [ "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://SafeBae.org | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1", "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html billpay.stcu.org", "bfxxxhindi.to www.bfxxxhindi.to https://www.bfxxxhindi.to tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://alohatube.xyz/search/tsara-brashears http://alohatube.xyz/search/tsara-brashears/", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html", "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html", "http://pornbitter.com/storage/tsara-brashears/ http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru", "http://browntubeporn.com/tsara-brashears.html browntubeporn.com http://pornvideoj.com/tsara-brashears.htm", "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian", "feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us www.tryporn.net", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info", "http://www.tryporn.net/seach/tsara-brashears/ hicksandchicks.org redpornvideos.net http://advocate-smyslova.ru/tsara-brashears/", "http://flexporn.net/tsara-brashears.html http://onlyindianporn.net/videos/tsara-brashears/ http://pornbitter.com/storage/tsara-brashears/", "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html", "http://www.bukaporn.net/trend/tsara-brashears/ http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/ hlebo.mobi pornpx.com www.potnhub.org", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language http://www.music-forum.", "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ http://redpornvideos.net/tsara-brashears.html", "https://wallpapers-nature.com/ https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io https://www.sweetheartvideo.com/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net https://www.sweetheartvideo.com/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://xlxx.mobi phishing\thttps://2beeg.me https://2beeg.net https://www.redporn.video https://youjizz.sex 2beeg.me xlxx.mobi ladys.one", "tsara-brashears-deadspin-twitter-suspended-account-help.ht videolal.com wallpapers-nature.com www.sweetheartvideo.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ Domain mom2fuck.mobi https://youjizz.sex/tsara-brashears.html https://youjizz.sex", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news", "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ orangeporntube.net www.tryporno.net", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception http://pixelrz.com/lists/keywords/tsara-brashears-dead/ http://orangeporntube.net/tsara-brashears.html", "http://www.tryporno.net/movies/tsara-brashears/ http://www.pixelrz.com/lists/keywords/tsara-brashears/", "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ sexiezpics.com", "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/ http://pornohata.com/mov/tsara-brashears/", "http://onlyindianporn2.com/videos/tsara-brashears/ onlyindianporn2.com-porn.html aninditaannisa.blogspot.com porno-trash.net", "myhotzpic.com pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears", "http://pornstarsporno.net/tsara-brashears.html http://vtwctr.org/explore/inmate-tsara-brashears/", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html", "Hostname aninditaannisa.blogspot.com No Expiration\t0\t URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html billpay.stcu.org", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com", "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |", "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com", "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t URL http://server1.sabeydatacenters.com No Expiration\t0\t URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com", "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872", "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/", "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com", "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |", "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com", "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/", "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com", "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |", "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511", "1a8fc49a4265fe146976/1523680312 | https://thebrotherssabey.com/2018/04/22/the | https://thebrotherssabey.com/2019/07/08/suffering", "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697", "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com", "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why", "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun", "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |", "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge", "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton", "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy", "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com", "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/author/dbsabey/", "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D", "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter", "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:", "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/", "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html", "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236" ], "public": 1, "adversary": "Brian Sabey | Tulach | Sabey Data Centers", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win32/Tofsee.AX", "display_name": "Win32/Tofsee.AX", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1055.013", "name": "Process Doppelg\u00e4nging", "display_name": "T1055.013 - Process Doppelg\u00e4nging" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "66ccbd92f716bb0ca0fda93d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 116, "FileHash-SHA256": 935, "URL": 5882, "domain": 571, "hostname": 1418, "email": 9, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 9054, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6896d409a11f01d7eeb", "name": "Keyloggers", "description": "", "modified": "2023-12-06T16:51:21.700000", "created": "2023-12-06T16:51:21.700000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 84, "domain": 28, "FileHash-MD5": 209, "FileHash-SHA1": 123, "hostname": 101, "URL": 20 }, "indicator_count": 566, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709f71c6bd8f47a87bf64f", "name": "dirtsearch.org", "description": "", "modified": "2023-12-06T16:21:05.382000", "created": "2023-12-06T16:21:05.382000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 84, "domain": 28, "FileHash-MD5": 209, "FileHash-SHA1": 123, "hostname": 101, "URL": 20 }, "indicator_count": 566, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1aa3c6fa8fecdd6c8059", "name": "Keyloggers", "description": "", "modified": "2023-10-30T02:53:23.678000", "created": "2023-10-30T02:53:23.678000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "651345bec176120bb739fa07", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "hostname": 101, "URL": 20, "FileHash-MD5": 209, "FileHash-SHA1": 123, "FileHash-SHA256": 84, "CVE": 1 }, "indicator_count": 566, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ds1.dirtsearch.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ds1.dirtsearch.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780238386.3061113 }