{ "type": "URL", "indicator": "https://foundry2sdbl.dvr.dn2.n-helix.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://foundry2sdbl.dvr.dn2.n-helix.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4090190175, "indicator": "https://foundry2sdbl.dvr.dn2.n-helix.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "687f33a5ddf830e2f3e5acac", "name": "Trojan Dropper | Espionage | Keylogger affecting medical centers", "description": "PII and PHI at risk. Highest access spyware available infiltrates a small niche medical center. \ntrojandropper, keyloggers, advanced spyware, monitored rooms , mitre att, ||\nIDS: PROTOCOL-ICMP PATH MTU denial of service attempt \u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\n\u2022 https://foundry2sdbl.dvr.dn2.n-helix.com/\n\u2022 https://www.pegasustech.net/products/mobility-barcode-scanning/Data-collector-mobile-computer\n\n\u2022 \nrobloxlogger.com\n\u2022\n\nhttps://video.welnext.com\n\u2022\nhttps://app1.oceantg.com/sta40/views/personnelscreenview.aspx", "modified": "2025-08-21T06:00:20.607000", "created": "2025-07-22T06:45:57.499000", "tags": [ "pegasus", "report spam", "gotham foundry", "espionage", "spinal cord", "injured created", "minutes ago", "strange", "foundry", "palantir", "alexa", "service", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "ipv4", "united", "germany", "singapore", "netherlands", "iran", "india", "search", "domain", "hostname", "filehashmd5", "filehashsha1", "extraction", "data upload", "sc type", "dren aeu", "extr source", "ur data", "include", "review exclude", "sugges", "mtu denial", "matches rule", "needed", "df bit", "unique rule", "catalog tree", "c0002 wininet", "ta0005 command", "control ta0011", "get http", "resolved ips", "dns resolutions", "cloudflare", "flag", "server", "date", "contacted hosts", "ip address", "process details", "t1158", "hidden", "t1031", "modify existing", "t1053", "taskjob", "t1060", "run keys", "startup", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "itre att", "show process", "prefetch8", "mitre att", "show technique", "ck matrix", "windows nt", "win64", "khtml", "gecko", "april", "hybrid", "general", "path", "click", "strings", "entries", "unknown ns", "creation date", "record value", "showing", "gmt content", "accept encoding", "encrypt", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present jan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2628, "domain": 472, "hostname": 880, "FileHash-SHA256": 805, "FileHash-MD5": 151, "FileHash-SHA1": 128, "CIDR": 1, "SSLCertFingerprint": 3, "email": 1 }, "indicator_count": 5069, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f209a7416c10d7465b8fc", "name": "Gotham Foundry | Pegasus Espionage for Spinal Cord Injured", "description": "It\u2019s hard to tell if the same group is spying on a single target or everyone; themis issue puts everyone at risk. It\u2019s quite an elaborate strategy to use for people who leave there homes only to go medical facility. Strange medical facility with overtly bad acries already spying on disabled . Everything including bathroom is monitored.\nPegasus, Foundry, Palantir, Alexa , Special Forces.\nColorado based \u2018Unnamed\u2019 care center.Going way too far!", "modified": "2025-08-21T05:03:19.254000", "created": "2025-07-22T05:24:42.261000", "tags": [ "strange medical", "facility", "overt bad", "actors", "disabled", "rims http", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "medium", "high", "post https", "http", "ip address", "icmp traffic", "dns query", "http traffic", "http post", "windows nt", "copy", "malware", "checks", "virustotal api", "screenshots", "comments", "vendor finding", "notes avast", "win32", "alerts show", "search", "ck technique", "napolar", "service", "present jul", "error", "present mar", "files", "asn as26496", "whois registrar", "creation date", "pulses", "tags date", "otx telemetry", "spf record", "external", "present nov", "passive dns", "related nids", "urls", "files location", "india flag", "india related", "pulses otx", "google", "url http", "rims url", "pulse pulses", "united", "flag united", "get na", "microsoft word", "notes clamav", "ms defender", "mtb malware", "files matching", "number", "sample analysis", "hide samples", "mtb oct", "ipv4 add", "location india", "pune", "india asn", "win64", "trojan", "ipv4", "url https", "indicator role", "title added", "active related", "pulses ipv4", "source url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 52, "domain": 11, "hostname": 23, "FileHash-MD5": 117, "FileHash-SHA1": 115, "FileHash-SHA256": 115 }, "indicator_count": 433, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f0f210ec1de4316b22522", "name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled", "description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att", "modified": "2025-08-21T03:02:43.704000", "created": "2025-07-22T04:10:09.158000", "tags": [ "date", "submit url", "analysis", "passive dns", "urls", "files", "ip address", "asn as13335", "whois registrar", "creation date", "extraction", "data", "extri", "include review", "iocs", "data upload", "united", "unknown aaaa", "search", "showing", "moved", "a domains", "record value", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6560, "FileHash-MD5": 121, "FileHash-SHA1": 125, "FileHash-SHA256": 3989, "domain": 1616, "hostname": 1876, "email": 3, "CVE": 2 }, "indicator_count": 14292, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68761742b83c406c6afc4a45", "name": "Egton Medical Information Systems | Mirai | Malware | Cams", "description": "Egton Medical Information Systems Limited | Lynn Green\nRawdon House Green Lane\nCity\tLeeds\nCountry\tGB (andrew.carr@e-mis.com)\n[http://www.camx.com/files/cb05_final_report_120805.aspx]\n\nRequires further research.\nPotentially patient data brokers, international PHI exchange, stealth monitoring. #mirai #malware #trojan #cams #target #medical_information_exchange", "modified": "2025-08-14T08:00:18.079000", "created": "2025-07-15T08:54:26.212000", "tags": [ "egton medical", "limited name", "server", "date", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "beginstring", "segoe ui", "null", "type data", "refresh", "body", "span", "hybrid", "general", "click", "strings", "error", "tools", "look", "verify", "restart", "pattern match", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "show process", "utf8", "crlf line", "t1057", "local", "path", "learn", "name tactics", "suspicious", "informative", "command", "spawns", "evasion att", "t1480 execution", "discovery att", "serving ip", "address", "status code", "united", "passive dns", "entries", "gmt server", "ecacc", "ipv4 add", "pulse pulses", "urls", "files", "location united", "ddos", "activity", "checkin", "next associated", "win64", "win32", "url http", "url https", "indicator role", "title added", "active related", "pulses hostname", "type indicator", "role title", "added active", "related pulses", "ck techniques", "memcommit", "read c", "show", "search", "copy", "ip address", "high", "dns query", "medium", "write", "malware", "urlhttp", "url add", "http", "related nids", "files location", "flag united", "backdoor", "mtb jul", "please", "x msedge", "all ipv4", "open", "data upload", "extraction", "sc type", "failed", "extr", "include review", "name server", "status", "whois field", "value address", "rawdon house", "green lane", "city leeds", "country gb", "creation date", "dnssec", "domain", "servers", "present jul", "body xml", "error code", "message value", "time2017", "a domains", "name servers", "redacted for", "unknown aaaa", "script urls", "record value", "germany unknown", "certificate", "for privacy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 107, "hostname": 192, "URL": 488, "FileHash-MD5": 136, "FileHash-SHA1": 130, "FileHash-SHA256": 169, "CVE": 1, "email": 6 }, "indicator_count": 1229, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6875e98438889e51b3fdd18f", "name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch", "description": "", "modified": "2025-08-14T05:04:16.839000", "created": "2025-07-15T05:39:16.652000", "tags": [ "win32 exe", "country", "include review", "exclude", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "impact ob0008", "file system", "system oc0008", "match unknown", "adversaries", "match info", "info", "execution flow", "t1574 dll", "tries", "registry", "modify system", "process t1543", "unknown", "window", "ob0009 install", "ob0012 install", "insecure", "b0047 modify", "registry e1112", "hidden files", "registry run", "keys", "startup folder", "f0012 file", "critical", "united", "as15169", "delete c", "as16509", "show", "search", "intel", "ms windows", "entries", "medium", "worm", "copy", "write", "explorer", "malware", "next", "present jul", "status", "date", "ip address", "domain", "servers", "showing", "unknown ns", "related pulses", "pulses", "tags", "related tags", "more file", "type", "date april", "am size", "sha1 sha256", "as14618", "united kingdom", "as54113", "as15133 verizon", "top source", "top destination", "status domain", "ip whitelisted", "whitelisted", "tcp include", "source source", "oamazon", "cnamazon rsa", "odigicert inc", "sweden as20940", "as20940", "entries tls", "ip destination", "encrypt", "aaaa", "found", "certificate", "next associated", "urls show", "date checked", "error", "windows", "high", "yara detections", "installs", "checks", "filehash", "sha256 add", "themida", "data upload", "extraction", "md5 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "win32", "ddos", "passive dns", "activity", "checkin", "win64", "mtb jan", "lowfi", "trojan", "ransom", "trojandropper", "yara", "nsis", "nss bv", "su data", "windo alerts", "andariel", "malware traffic", "nids", "icmp traffic", "dns query", "id deadhost", "connects", "andariel high", "richhash", "external", "virustotal api", "screenshots", "failed", "auurtonany data", "themida andarie", "present may", "japan unknown", "unknown cname", "domain add", "urls", "files", "http headers", "msie", "windows nt", "tcp syn", "resolverror", "externalport", "internalport", "wget command", "devices home", "execution", "foundry", "home networks", "mirai", "x.com", "porn", "monitored target", "d link", "targets" ], "references": [ "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Crowdsourced Signa: Schedule system process by Joe Security", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "*Themida_2xx. Oreans,Technologies", "*Andariel Backdoor Activity (Checkin)", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "Devices remotely connected, tracked , monitored" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Win.Malware.Ursu-9856871-0", "display_name": "Win.Malware.Ursu-9856871-0", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 448, "FileHash-SHA1": 435, "FileHash-SHA256": 5851, "hostname": 2580, "domain": 1176, "URL": 7133, "SSLCertFingerprint": 30, "email": 3, "CVE": 3 }, "indicator_count": 17659, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6872f4c510c590b7cdc5ff6a", "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair", "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender", "modified": "2025-08-11T23:02:24.583000", "created": "2025-07-12T23:50:29.847000", "tags": [ "url https", "url http", "type indicator", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses", "enter source", "urior exirag", "diri type", "data upload", "extraction", "failed", "included iocs", "review iocs", "find sugge", "extr extract", "in data", "extract", "type", "u extractio", "extra", "review ic", "ipv4", "pulses hostname", "accountunlock", "united", "ireland", "canada", "brazil", "sweden", "australia", "search", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "types of", "extra data", "included review", "china", "colombia", "filepath https", "enter sc", "extr data", "include review", "exclude sugges", "filehashsha256", "hostname", "dicators japan", "url tor", "extrac data", "ic excluded", "suggeste", "stop", "type no", "no entrie", "included", "review locc", "excluded data", "sc data", "extri data", "includec review", "exclude data", "suggested", "se extra", "suggest", "manaiv add", "indicator", "review lace", "extri", "find s", "typ no", "no entdi", "ous u", "dron aew", "avtrat", "extre data", "manually", "add indicator", "pulses url", "url url", "typ host", "host url", "include", "z6911541", "extraction fail", "enter souf", "s type", "ur extraction", "extraction data", "jul all", "pulse data", "report external", "review", "extre please", "se extraction", "report spam", "all t8", "firmip", "bofa", "wikileaks", "tmobile", "dish", "capture", "cookie", "enter s", "please sub", "include outroov", "excludel sugges", "extra please", "high priority", "alerts ids", "priority alerts", "cnc beacon", "winver", "digitalmistica", "november", "pulse", "palantir", "foundry twitter", "arkei stealer", "config", "install", "downloader", "cidr", "domain", "indicators hong", "kong", "ukraine", "status no", "object", "unruy", "http", "remote", "keylogger", "foundry created", "days ago", "white keylogger", "apple", "foundry tech", "mafia", "t1045", "packing", "t1060", "run keys", "startup", "folder", "t1457", "showing", "types", "indicators show", "dicator role", "tsara brashears", "tsara", "porn", "porn videos", "pornhub https", "searchtsar", "watch tsara", "most relevant", "open threat", "green", "love", "daily", "videos", "free porn", "hybrid analysis", "falcon sandbox", "top tsara", "brashears porn", "stream", "spice", "download", "hybrid", "njrat", "threat network", "https", "created", "years ago", "modified", "months ago", "tinynote", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "octoseek public", "white", "excludedocs", "sugges", "stop data", "tsara lynn", "brashears les", "lynn brashears", "translate", "pornhub page", "emotet", "se review", "typ url", "dom hos", "hostname data", "harmful", "octoseekpulse", "attacks sa", "bandit stealer", "flubot", "agent tesla", "qbot", "qakbot", "ursnif", "azorult", "djvu", "hacktool", "maze", "dark", "linux", "android10", "khtml", "costcpc", "userosandroid", "bannerid2738231", "india", "enter so", "please subr", "suggest data", "netherlands", "russia", "america malware", "families", "sc type", "please", "show", "url data", "fanec", "include failed", "review exclude", "extre", "includea", "exclude toosrou", "sugges data", "typ data", "information", "cobalt strike", "ransomexx", "quackbot", "comspec", "span", "idn1", "sendimage0", "refts0", "include data", "uny inuuue", "fileh fileh", "exclude suggest", "uniy", "type fileh", "extr please", "ineluderc\u0660", "review data", "excludedlocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12679, "domain": 1134, "hostname": 3543, "FileHash-MD5": 251, "email": 7, "FileHash-SHA256": 1927, "FileHash-SHA1": 232, "CVE": 1, "CIDR": 1, "URI": 1 }, "indicator_count": 19776, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "251 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IDS Detections: Andariel Backdoor Activity (Checkin)", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "hubt.pornhub.com | www.pornhub.com | pornative.com", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Tofsee: 'google.com' | https://www.gov50.icu |", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "DISTINCTIO8.pdf", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "www.pornhubselect.com | pornhub.software", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "*Themida_2xx. Oreans,Technologies", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "https://tulach.cc/ | tulach.cc |", "*Andariel Backdoor Activity (Checkin)", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Yara Detections: is__elf , DemonBot", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "Crowdsourced Signa: Schedule system process by Joe Security", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Devices remotely connected, tracked , monitored", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "IDS: WGET Command Specifying Output in HTTP Headers" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.malware.oxypumper-6900435-0", "Ransom", "Win.malware.ursu-9856871-0", "Mirai", "Cve-2014-8361", "Elf:ddos-y\\ [trj]", "Ddos:linux/gafgyt.ya!mtb", "Ransom:win32/haperlock", "Win.malware.qshell-9875653-0", "Nids", "Cve-2023-27350", "Worm:win32/mofksys.rnd!mtb", "Trojan:win32/zombie.a", "Trojan:win32/neurevt", "Backdoor:win32/tofsee", "Tel:createscheduledtask", "Onelouder", "Trojanspy", "M1", "Virus:win32/sivis.a", "Win.trojan.sarwent-10012602-0", "Win.trojan.installcore-1177", "Unix.trojan.mirai-6981169-0", "Cve-2017-17215", "Tofsee" ], "industries": [ "Technology", "Healthcare" ], "unique_indicators": 82950 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/n-helix.com", "whois": "http://whois.domaintools.com/n-helix.com", "domain": "n-helix.com", "hostname": "foundry2sdbl.dvr.dn2.n-helix.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "687f33a5ddf830e2f3e5acac", "name": "Trojan Dropper | Espionage | Keylogger affecting medical centers", "description": "PII and PHI at risk. Highest access spyware available infiltrates a small niche medical center. \ntrojandropper, keyloggers, advanced spyware, monitored rooms , mitre att, ||\nIDS: PROTOCOL-ICMP PATH MTU denial of service attempt \u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\n\u2022 https://foundry2sdbl.dvr.dn2.n-helix.com/\n\u2022 https://www.pegasustech.net/products/mobility-barcode-scanning/Data-collector-mobile-computer\n\n\u2022 \nrobloxlogger.com\n\u2022\n\nhttps://video.welnext.com\n\u2022\nhttps://app1.oceantg.com/sta40/views/personnelscreenview.aspx", "modified": "2025-08-21T06:00:20.607000", "created": "2025-07-22T06:45:57.499000", "tags": [ "pegasus", "report spam", "gotham foundry", "espionage", "spinal cord", "injured created", "minutes ago", "strange", "foundry", "palantir", "alexa", "service", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "ipv4", "united", "germany", "singapore", "netherlands", "iran", "india", "search", "domain", "hostname", "filehashmd5", "filehashsha1", "extraction", "data upload", "sc type", "dren aeu", "extr source", "ur data", "include", "review exclude", "sugges", "mtu denial", "matches rule", "needed", "df bit", "unique rule", "catalog tree", "c0002 wininet", "ta0005 command", "control ta0011", "get http", "resolved ips", "dns resolutions", "cloudflare", "flag", "server", "date", "contacted hosts", "ip address", "process details", "t1158", "hidden", "t1031", "modify existing", "t1053", "taskjob", "t1060", "run keys", "startup", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "itre att", "show process", "prefetch8", "mitre att", "show technique", "ck matrix", "windows nt", "win64", "khtml", "gecko", "april", "hybrid", "general", "path", "click", "strings", "entries", "unknown ns", "creation date", "record value", "showing", "gmt content", "accept encoding", "encrypt", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present jan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2628, "domain": 472, "hostname": 880, "FileHash-SHA256": 805, "FileHash-MD5": 151, "FileHash-SHA1": 128, "CIDR": 1, "SSLCertFingerprint": 3, "email": 1 }, "indicator_count": 5069, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f209a7416c10d7465b8fc", "name": "Gotham Foundry | Pegasus Espionage for Spinal Cord Injured", "description": "It\u2019s hard to tell if the same group is spying on a single target or everyone; themis issue puts everyone at risk. It\u2019s quite an elaborate strategy to use for people who leave there homes only to go medical facility. Strange medical facility with overtly bad acries already spying on disabled . Everything including bathroom is monitored.\nPegasus, Foundry, Palantir, Alexa , Special Forces.\nColorado based \u2018Unnamed\u2019 care center.Going way too far!", "modified": "2025-08-21T05:03:19.254000", "created": "2025-07-22T05:24:42.261000", "tags": [ "strange medical", "facility", "overt bad", "actors", "disabled", "rims http", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "medium", "high", "post https", "http", "ip address", "icmp traffic", "dns query", "http traffic", "http post", "windows nt", "copy", "malware", "checks", "virustotal api", "screenshots", "comments", "vendor finding", "notes avast", "win32", "alerts show", "search", "ck technique", "napolar", "service", "present jul", "error", "present mar", "files", "asn as26496", "whois registrar", "creation date", "pulses", "tags date", "otx telemetry", "spf record", "external", "present nov", "passive dns", "related nids", "urls", "files location", "india flag", "india related", "pulses otx", "google", "url http", "rims url", "pulse pulses", "united", "flag united", "get na", "microsoft word", "notes clamav", "ms defender", "mtb malware", "files matching", "number", "sample analysis", "hide samples", "mtb oct", "ipv4 add", "location india", "pune", "india asn", "win64", "trojan", "ipv4", "url https", "indicator role", "title added", "active related", "pulses ipv4", "source url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 52, "domain": 11, "hostname": 23, "FileHash-MD5": 117, "FileHash-SHA1": 115, "FileHash-SHA256": 115 }, "indicator_count": 433, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f0f210ec1de4316b22522", "name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled", "description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att", "modified": "2025-08-21T03:02:43.704000", "created": "2025-07-22T04:10:09.158000", "tags": [ "date", "submit url", "analysis", "passive dns", "urls", "files", "ip address", "asn as13335", "whois registrar", "creation date", "extraction", "data", "extri", "include review", "iocs", "data upload", "united", "unknown aaaa", "search", "showing", "moved", "a domains", "record value", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6560, "FileHash-MD5": 121, "FileHash-SHA1": 125, "FileHash-SHA256": 3989, "domain": 1616, "hostname": 1876, "email": 3, "CVE": 2 }, "indicator_count": 14292, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68761742b83c406c6afc4a45", "name": "Egton Medical Information Systems | Mirai | Malware | Cams", "description": "Egton Medical Information Systems Limited | Lynn Green\nRawdon House Green Lane\nCity\tLeeds\nCountry\tGB (andrew.carr@e-mis.com)\n[http://www.camx.com/files/cb05_final_report_120805.aspx]\n\nRequires further research.\nPotentially patient data brokers, international PHI exchange, stealth monitoring. #mirai #malware #trojan #cams #target #medical_information_exchange", "modified": "2025-08-14T08:00:18.079000", "created": "2025-07-15T08:54:26.212000", "tags": [ "egton medical", "limited name", "server", "date", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "beginstring", "segoe ui", "null", "type data", "refresh", "body", "span", "hybrid", "general", "click", "strings", "error", "tools", "look", "verify", "restart", "pattern match", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "show process", "utf8", "crlf line", "t1057", "local", "path", "learn", "name tactics", "suspicious", "informative", "command", "spawns", "evasion att", "t1480 execution", "discovery att", "serving ip", "address", "status code", "united", "passive dns", "entries", "gmt server", "ecacc", "ipv4 add", "pulse pulses", "urls", "files", "location united", "ddos", "activity", "checkin", "next associated", "win64", "win32", "url http", "url https", "indicator role", "title added", "active related", "pulses hostname", "type indicator", "role title", "added active", "related pulses", "ck techniques", "memcommit", "read c", "show", "search", "copy", "ip address", "high", "dns query", "medium", "write", "malware", "urlhttp", "url add", "http", "related nids", "files location", "flag united", "backdoor", "mtb jul", "please", "x msedge", "all ipv4", "open", "data upload", "extraction", "sc type", "failed", "extr", "include review", "name server", "status", "whois field", "value address", "rawdon house", "green lane", "city leeds", "country gb", "creation date", "dnssec", "domain", "servers", "present jul", "body xml", "error code", "message value", "time2017", "a domains", "name servers", "redacted for", "unknown aaaa", "script urls", "record value", "germany unknown", "certificate", "for privacy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 107, "hostname": 192, "URL": 488, "FileHash-MD5": 136, "FileHash-SHA1": 130, "FileHash-SHA256": 169, "CVE": 1, "email": 6 }, "indicator_count": 1229, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6875e98438889e51b3fdd18f", "name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch", "description": "", "modified": "2025-08-14T05:04:16.839000", "created": "2025-07-15T05:39:16.652000", "tags": [ "win32 exe", "country", "include review", "exclude", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "impact ob0008", "file system", "system oc0008", "match unknown", "adversaries", "match info", "info", "execution flow", "t1574 dll", "tries", "registry", "modify system", "process t1543", "unknown", "window", "ob0009 install", "ob0012 install", "insecure", "b0047 modify", "registry e1112", "hidden files", "registry run", "keys", "startup folder", "f0012 file", "critical", "united", "as15169", "delete c", "as16509", "show", "search", "intel", "ms windows", "entries", "medium", "worm", "copy", "write", "explorer", "malware", "next", "present jul", "status", "date", "ip address", "domain", "servers", "showing", "unknown ns", "related pulses", "pulses", "tags", "related tags", "more file", "type", "date april", "am size", "sha1 sha256", "as14618", "united kingdom", "as54113", "as15133 verizon", "top source", "top destination", "status domain", "ip whitelisted", "whitelisted", "tcp include", "source source", "oamazon", "cnamazon rsa", "odigicert inc", "sweden as20940", "as20940", "entries tls", "ip destination", "encrypt", "aaaa", "found", "certificate", "next associated", "urls show", "date checked", "error", "windows", "high", "yara detections", "installs", "checks", "filehash", "sha256 add", "themida", "data upload", "extraction", "md5 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "win32", "ddos", "passive dns", "activity", "checkin", "win64", "mtb jan", "lowfi", "trojan", "ransom", "trojandropper", "yara", "nsis", "nss bv", "su data", "windo alerts", "andariel", "malware traffic", "nids", "icmp traffic", "dns query", "id deadhost", "connects", "andariel high", "richhash", "external", "virustotal api", "screenshots", "failed", "auurtonany data", "themida andarie", "present may", "japan unknown", "unknown cname", "domain add", "urls", "files", "http headers", "msie", "windows nt", "tcp syn", "resolverror", "externalport", "internalport", "wget command", "devices home", "execution", "foundry", "home networks", "mirai", "x.com", "porn", "monitored target", "d link", "targets" ], "references": [ "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Crowdsourced Signa: Schedule system process by Joe Security", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "*Themida_2xx. Oreans,Technologies", "*Andariel Backdoor Activity (Checkin)", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "Devices remotely connected, tracked , monitored" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Win.Malware.Ursu-9856871-0", "display_name": "Win.Malware.Ursu-9856871-0", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 448, "FileHash-SHA1": 435, "FileHash-SHA256": 5851, "hostname": 2580, "domain": 1176, "URL": 7133, "SSLCertFingerprint": 30, "email": 3, "CVE": 3 }, "indicator_count": 17659, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6872f4c510c590b7cdc5ff6a", "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair", "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender", "modified": "2025-08-11T23:02:24.583000", "created": "2025-07-12T23:50:29.847000", "tags": [ "url https", "url http", "type indicator", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses", "enter source", "urior exirag", "diri type", "data upload", "extraction", "failed", "included iocs", "review iocs", "find sugge", "extr extract", "in data", "extract", "type", "u extractio", "extra", "review ic", "ipv4", "pulses hostname", "accountunlock", "united", "ireland", "canada", "brazil", "sweden", "australia", "search", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "types of", "extra data", "included review", "china", "colombia", "filepath https", "enter sc", "extr data", "include review", "exclude sugges", "filehashsha256", "hostname", "dicators japan", "url tor", "extrac data", "ic excluded", "suggeste", "stop", "type no", "no entrie", "included", "review locc", "excluded data", "sc data", "extri data", "includec review", "exclude data", "suggested", "se extra", "suggest", "manaiv add", "indicator", "review lace", "extri", "find s", "typ no", "no entdi", "ous u", "dron aew", "avtrat", "extre data", "manually", "add indicator", "pulses url", "url url", "typ host", "host url", "include", "z6911541", "extraction fail", "enter souf", "s type", "ur extraction", "extraction data", "jul all", "pulse data", "report external", "review", "extre please", "se extraction", "report spam", "all t8", "firmip", "bofa", "wikileaks", "tmobile", "dish", "capture", "cookie", "enter s", "please sub", "include outroov", "excludel sugges", "extra please", "high priority", "alerts ids", "priority alerts", "cnc beacon", "winver", "digitalmistica", "november", "pulse", "palantir", "foundry twitter", "arkei stealer", "config", "install", "downloader", "cidr", "domain", "indicators hong", "kong", "ukraine", "status no", "object", "unruy", "http", "remote", "keylogger", "foundry created", "days ago", "white keylogger", "apple", "foundry tech", "mafia", "t1045", "packing", "t1060", "run keys", "startup", "folder", "t1457", "showing", "types", "indicators show", "dicator role", "tsara brashears", "tsara", "porn", "porn videos", "pornhub https", "searchtsar", "watch tsara", "most relevant", "open threat", "green", "love", "daily", "videos", "free porn", "hybrid analysis", "falcon sandbox", "top tsara", "brashears porn", "stream", "spice", "download", "hybrid", "njrat", "threat network", "https", "created", "years ago", "modified", "months ago", "tinynote", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "octoseek public", "white", "excludedocs", "sugges", "stop data", "tsara lynn", "brashears les", "lynn brashears", "translate", "pornhub page", "emotet", "se review", "typ url", "dom hos", "hostname data", "harmful", "octoseekpulse", "attacks sa", "bandit stealer", "flubot", "agent tesla", "qbot", "qakbot", "ursnif", "azorult", "djvu", "hacktool", "maze", "dark", "linux", "android10", "khtml", "costcpc", "userosandroid", "bannerid2738231", "india", "enter so", "please subr", "suggest data", "netherlands", "russia", "america malware", "families", "sc type", "please", "show", "url data", "fanec", "include failed", "review exclude", "extre", "includea", "exclude toosrou", "sugges data", "typ data", "information", "cobalt strike", "ransomexx", "quackbot", "comspec", "span", "idn1", "sendimage0", "refts0", "include data", "uny inuuue", "fileh fileh", "exclude suggest", "uniy", "type fileh", "extr please", "ineluderc\u0660", "review data", "excludedlocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12679, "domain": 1134, "hostname": 3543, "FileHash-MD5": 251, "email": 7, "FileHash-SHA256": 1927, "FileHash-SHA1": 232, "CVE": 1, "CIDR": 1, "URI": 1 }, "indicator_count": 19776, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "251 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://foundry2sdbl.dvr.dn2.n-helix.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://foundry2sdbl.dvr.dn2.n-helix.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776649962.326289 }