{
"type": "URL",
"indicator": "https://ftuapps.com/wp",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://ftuapps.com/wp",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3748913441,
"indicator": "https://ftuapps.com/wp",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69e434769e2a43c088066ca2",
"name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek",
"description": "",
"modified": "2026-04-19T07:36:41.138000",
"created": "2026-04-19T01:48:38.335000",
"tags": [
"heur",
"cisco umbrella",
"site",
"alexa top",
"malware",
"million",
"xcnfe",
"maltiverse",
"malware site",
"safe site",
"malicious",
"trojan",
"artemis",
"vidar",
"redline stealer",
"raccoon",
"keylogger",
"riskware",
"agent tesla",
"remcos",
"stealer",
"miner",
"hacktool",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"detplock",
"networm",
"win64",
"service",
"smokeloader",
"dropper",
"crack",
"alexa",
"trojanspy",
"detection list",
"blacklist https",
"kyriazhs1975",
"noname057",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"blacklist",
"cyber threat",
"united",
"engineering",
"phishing",
"covid19",
"facebook",
"phishing site",
"paypal",
"njrat",
"emotet",
"nanocore rat",
"meterpreter",
"azorult",
"download",
"msil",
"bladabindi",
"mirai",
"pony",
"nanocore",
"bradesco",
"cobalt strike",
"cve201711882",
"redline",
"ssl certificate",
"tsara brashears",
"cyberstalking",
"spyware",
"apple ios",
"quasar",
"ransomware",
"malware norad",
"cry kill",
"attack",
"installer",
"formbook",
"lockbit",
"open",
"banker",
"bazarloader",
"core",
"ransomexx",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"ascii text",
"null",
"date",
"error",
"span",
"refresh",
"class",
"generator",
"critical",
"body",
"look",
"verify",
"restart",
"meta",
"hybrid",
"general",
"click",
"strings",
"tools",
"as141773",
"as63932",
"moved",
"passive dns",
"search",
"entries",
"gmt content",
"type",
"keep alive",
"scan endpoints",
"all octoseek",
"pulse pulses",
"as17806 mango",
"blacklist http",
"phishtank",
"malicious site",
"apple",
"blockchain",
"runescape",
"twitter",
"qakbot",
"asyncrat",
"team",
"internet storm",
"generic",
"union",
"bazaloader",
"media",
"generic malware",
"hostname",
"suppobox",
"netwire rc",
"installcore",
"conduit",
"iobit",
"mediaget",
"outbreak",
"acint",
"installpack",
"phish",
"rostpay",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"filetour",
"wacatac",
"fusioncore",
"dapato",
"cleaner",
"softonic",
"encpk",
"qbot",
"predator",
"swrort",
"kraddare",
"systweak",
"dllinject",
"driverpack",
"iframe",
"downldr",
"presenoker",
"as61317",
"asnone united",
"urls",
"files",
"next",
"as15169 google",
"japan unknown",
"as17506 arteria",
"as32244 liquid",
"as49505",
"russia unknown",
"expired",
"domain",
"falcon",
"as19969",
"ipv4",
"ransom",
"encrypt",
"file",
"windows nt",
"indicator",
"response",
"appdata",
"gmt contenttype",
"png image",
"local",
"contacted",
"fali malicious",
"dropped",
"communicating",
"referrer",
"fali contacted",
"silk road",
"immediate",
"cymulate2",
"tsara brashears",
"malvertizing"
],
"references": [
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"alohatube.xyz",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://alohatube.xyz/search/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"ww.google.com.uy",
"https://alohatube.xyz/search/tsara-brashears",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://polling.portal.gov.bd/js/npc.script.js",
"polling.portal.gov.bd",
"https://polling.portal.gov.bd/js/npop.script.js",
"http://watchhers.net/index.php",
"https://brandyallen.com/2022/11/23/sexy",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc",
"http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf",
"https://twitter.com/PORNO_SEXYBABES",
"https://alohatube.xyz/search/sex-mom-dog-animal",
"https://www.colorfulbox.jp/",
"Hybrid Analysis",
"Any.run",
"OTX AlienVault",
"Urlscan",
"UrlVoid",
"http://emrd.gov.bd/dead.php",
"http://titasgas.portal.gov.bd/dead.php",
"http://mincom.gov.bd/dead.php",
"http://cabinet.gov.bd/dead.php"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Malaysia",
"Bangladesh"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Racoon Stealer",
"display_name": "Racoon Stealer",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "njRAT - S0385",
"display_name": "njRAT - S0385",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Bazaar Loader",
"display_name": "Bazaar Loader",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Detplock",
"display_name": "Detplock",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
},
{
"id": "Ghandi",
"display_name": "Ghandi",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swort",
"display_name": "Swort",
"target": null
},
{
"id": "Silk Road",
"display_name": "Silk Road",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "Worm:VBS/Dapato",
"display_name": "Worm:VBS/Dapato",
"target": "/malware/Worm:VBS/Dapato"
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "654a7a53317c717d1f4fee7f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2522,
"FileHash-SHA1": 862,
"FileHash-SHA256": 2855,
"URL": 7963,
"domain": 1168,
"hostname": 3181,
"CVE": 13,
"email": 2,
"IPv4": 1
},
"indicator_count": 18567,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "12 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e1d9cd805ecfc463bed935",
"name": "BlackNet RAT clone credit octoseek",
"description": "",
"modified": "2026-04-18T00:51:09.427000",
"created": "2026-04-17T06:57:17.378000",
"tags": [
"united",
"heur",
"bank",
"covid19 scam",
"anonymizer",
"malicious site",
"telefonica peru",
"cyber threat",
"proxy",
"malware",
"phishing",
"zbot",
"suppobox",
"team",
"trojanx",
"service",
"facebook",
"win64",
"trojan",
"artemis",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"engineering",
"download",
"microsoft",
"generic",
"union",
"bazaloader",
"media",
"runescape",
"blacklist https",
"generic malware",
"metro",
"tmobile",
"on us",
"mls season",
"home internet",
"shop",
"autopay",
"free",
"metro store",
"limit",
"pass",
"close",
"galaxy",
"easy",
"back",
"stream",
"find",
"twitter",
"intnavfnav",
"conditions",
"service url",
"search live",
"api blog",
"docs pricing",
"september",
"instagram url",
"facebook url",
"value",
"variables",
"visitor object",
"alpine object",
"cookies",
"taq boolean",
"get h2",
"kb script",
"b xhr",
"post h2",
"frame",
"b image",
"kb image",
"redirect chain",
"frame c0bc",
"kb stylesheet",
"covid19",
"phishing site",
"malicious",
"cve201711882",
"cobalt strike",
"squirrelwaffle",
"pony",
"binder",
"virut",
"ramnit",
"dropper",
"formbook",
"azorult",
"bambernek",
"alexa",
"unsafe",
"opencandy",
"downldr",
"irata",
"dbatloader",
"vidar",
"outbreak",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"emotet",
"blacknet rat",
"stealer",
"presenoker",
"fusioncore",
"cleaner",
"wacatac",
"riskware",
"coinminer",
"xrat",
"swrort",
"installcore",
"trojanspy",
"mbydkqdhtu0h",
"pbiptbmvd0k4",
"pbzpdldtg",
"detection list",
"glelexoputyh",
"linkid252669",
"s2okorbdpt2x",
"el9km",
"mtap2vnnnpj",
"blacklist",
"x22x22",
"x22scriptx22",
"x22dntx22",
"date",
"u002d2",
"linkcode u002d",
"srclang",
"urllang",
"srcurl",
"qzid",
"pattern match",
"intnavtnav",
"q0o0mahttp",
"login",
"windows nt",
"bad traffic",
"et info",
"tls handshake",
"failure",
"http traffic",
"http",
"suricata alerts",
"event category",
"description sid",
"external",
"logo",
"av detection",
"default browser",
"guest system",
"professional",
"general",
"file",
"get fwlink",
"geckohost",
"suidm",
"edgev1",
"srchdafnoform",
"srchuidv2",
"edgesf1",
"malware site",
"agent",
"exploit",
"mimikatz",
"quasar rat",
"iframe",
"beach research",
"sgeneric",
"static engine",
"umbrella",
"malware service",
"exploit source",
"scanning host",
"Command and Control",
"malicious url",
"team malicious",
"tor known",
"tor relayrouter",
"exit",
"node tcp",
"traffic",
"bad traffic"
],
"references": [
"https://metro-tmo.com/",
"Hybrid Analysis",
"Alienvault OTX",
"Data Analysis"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"South Africa",
"Japan"
],
"malware_families": [
{
"id": "TrojanDownloader:O97M/BazaLoader",
"display_name": "TrojanDownloader:O97M/BazaLoader",
"target": "/malware/TrojanDownloader:O97M/BazaLoader"
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Backdoor:Win32/Zbot",
"display_name": "Backdoor:Win32/Zbot",
"target": "/malware/Backdoor:Win32/Zbot"
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi",
"display_name": "Backdoor:MSIL/Bladabindi",
"target": "/malware/Backdoor:MSIL/Bladabindi"
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "MimiKatz",
"display_name": "MimiKatz",
"target": null
},
{
"id": "Squirrelwaffle",
"display_name": "Squirrelwaffle",
"target": null
},
{
"id": "Pony - S0453",
"display_name": "Pony - S0453",
"target": null
},
{
"id": "TrojanDropper:VBS/Swrort",
"display_name": "TrojanDropper:VBS/Swrort",
"target": "/malware/TrojanDropper:VBS/Swrort"
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Virus:DOS/Metro",
"display_name": "Virus:DOS/Metro",
"target": "/malware/Virus:DOS/Metro"
},
{
"id": "Metro",
"display_name": "Metro",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Backdoor:Win32/Outbreak",
"display_name": "Backdoor:Win32/Outbreak",
"target": "/malware/Backdoor:Win32/Outbreak"
},
{
"id": "ALF:PUA:Win32/OpenCandy",
"display_name": "ALF:PUA:Win32/OpenCandy",
"target": null
},
{
"id": "IRATA",
"display_name": "IRATA",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
},
{
"id": "ALF:PUA:Win32/FusionCore",
"display_name": "ALF:PUA:Win32/FusionCore",
"target": null
},
{
"id": "ALF:Trojan:O97M/Emotet",
"display_name": "ALF:Trojan:O97M/Emotet",
"target": null
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
}
],
"attack_ids": [
{
"id": "T1550",
"name": "Use Alternate Authentication Material",
"display_name": "T1550 - Use Alternate Authentication Material"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Food",
"Gas",
"Entertainment"
],
"TLP": "white",
"cloned_from": "650d0c66e0b02a6dde4a8b7a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 781,
"FileHash-SHA256": 3085,
"domain": 528,
"URL": 3130,
"CVE": 6,
"FileHash-MD5": 610,
"FileHash-SHA1": 368
},
"indicator_count": 8508,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2730aa46a25d7949daa8d",
"name": "apple retail dnspionage clone octoseek",
"description": "",
"modified": "2026-04-11T00:03:57.096000",
"created": "2026-03-12T08:02:18.609000",
"tags": [
"Ghost RAT",
"WebToolbar",
"Nanocore RAT",
"GameHack",
"Cobalt Strike",
"RedlineStealer",
"HallGrand",
"InstallCore",
"InstallBrain",
"Emotet",
"Tofsee",
"InMortal",
"Bradesco",
"Agent Tesla",
"Mitre",
"Pyscpa",
"TrojanSpy",
"SuppoBox",
"Occamy",
"DNSPIONAGE",
"Stealer",
"Password",
"Apple",
"Retail",
"Cherry Creek Colorado",
"Bot Networks",
"Ghost RAT",
"Networm"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "658a2b6cfdcfeec5db5f31a1",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7996,
"FileHash-SHA1": 3921,
"FileHash-SHA256": 5341,
"hostname": 2108,
"domain": 1005,
"URL": 5635,
"CIDR": 2,
"CVE": 21,
"email": 28
},
"indicator_count": 26057,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "691f4d4ef0a2a570b8b21cd2",
"name": "Chris P. Ahmann Colorado State Criminal Defense Attorney",
"description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-11-20T17:18:06.929000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69482caa00d327da8f0a87bc",
"name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-21T17:21:46.434000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695557ee134b978b00883c29",
"name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-31T17:05:50.134000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69631fbd16e306ee2b76c4da",
"name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2026-01-11T03:57:49.242000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "695557ee134b978b00883c29",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6944ce38344ccded23df66f5",
"name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.",
"description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .",
"modified": "2026-01-18T03:05:59.836000",
"created": "2025-12-19T04:02:00.973000",
"tags": [
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"free",
"benjamin",
"write",
"worm",
"win32",
"code",
"june",
"delphi",
"malware",
"benjamin",
"tulach",
"state of colorado",
"christopher p. \u2018buzz\u2019 ahmann",
"danica implants",
"nids_malware_alert",
"bonu$",
"network_icmp",
"network_irc",
"persistence_autorun",
"network_http",
"nids_alert",
"allocates_rwx",
"hackers",
"creates_exe",
"brian sabey",
"sour del",
"packer_entropy",
"antivm_memory_available",
"pe_features",
"get key",
"crime",
"organized crime",
"federal crime",
"cyber crime",
"piracy",
"status",
"china unknown",
"name servers",
"div div",
"ip address",
"domain",
"creation date",
"record value",
"meta",
"title",
"hong kong",
"passive dns",
"gmt content",
"type",
"content length",
"ipv4 add",
"urls",
"files",
"location hong",
"twitter",
"youtube",
"side 3 studios",
"denver music",
"infiltration",
"whistleblower",
"getkey",
"cyber warfare",
"fraud",
"financial crimes",
"pegasus",
"music front",
"france unknown",
"present feb",
"iran unknown",
"present nov",
"present jun",
"present jan",
"hidden",
"present jul",
"date",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"llc name",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"found",
"pattern match",
"mitre att",
"show technique",
"ck matrix",
"ascii text",
"href",
"show process",
"file",
"general",
"local",
"path",
"memory dumping",
"entries",
"icmp delphi",
"showing",
"delete",
"yara detections",
"windows nt",
"wow64",
"khtml",
"gecko",
"dns query",
"packing t1045",
"ransom",
"cve",
"palantir",
"remote",
"graham"
],
"references": [
"Amnesty.org | remote.amnesty.org",
"tulach.cc",
"Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP",
"Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http",
"Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available",
"Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi",
"Delphi This program must be run under Win32 Compilers",
"More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de",
"http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}",
"Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey",
"http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co",
"ipv4bot.whatismyipaddress.com",
"helloprismatic.com",
"https://palantir-staging.staging.candidate.app.paulsjob.ai/",
"Brian Sabey",
"Christopher P. \u2018Buzz\u2019 Ahmann"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "Ransom:Win32/GandCrab",
"display_name": "Ransom:Win32/GandCrab",
"target": "/malware/Ransom:Win32/GandCrab"
},
{
"id": "CVE-2023-2868",
"display_name": "CVE-2023-2868",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 429,
"FileHash-SHA1": 341,
"FileHash-SHA256": 2766,
"URL": 6976,
"domain": 1151,
"CVE": 2,
"email": 3,
"hostname": 2913,
"SSLCertFingerprint": 4
},
"indicator_count": 14585,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "91 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695ea667a062ed6688b104ab",
"name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ",
"description": "",
"modified": "2026-01-07T18:31:03.104000",
"created": "2026-01-07T18:31:03.104000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": "692897a64c0e255409b5a67e",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "102 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695ea6590a50f71a156c9a7f",
"name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ",
"description": "",
"modified": "2026-01-07T18:30:49.442000",
"created": "2026-01-07T18:30:49.442000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": "692897a64c0e255409b5a67e",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "102 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692897a64c0e255409b5a67e",
"name": "Frost Security | Attorneys | Government | Crazy",
"description": "Dangerous. Being abused by the usual quasi government suspects. Affecting many targets including Candace Owens. Who can you turn to when your own government is 100% corrupt. \n\nCall me crazy. Idk. DJT was likely shot with a High Velocity Paint Ball. Why isn\u2019t anyone interviewing the families of the 3 \u2018allegedly\u2019 successfully assassinated. \n\nIs Charlie Kirk Dead or in hiding, an alien that doesn\u2019t bleed? \n\nLook it up. High Velocity Paint Ball is a very intensely underrated, nharsky spoken about sport enjoyed by gun enthusiast , snipers , military, civilians. Something weird is going on and it\u2019s actually obvious because they just want results.\n There\u2019s more disturbing things to come. I think more people are being taken out this way than we know.\nBy now I\u2019m under too much surveillance to just leave out casually. \nTerrifying for sure. I know Hos of the Bible is bigger.",
"modified": "2025-12-27T17:01:06.155000",
"created": "2025-11-27T18:25:42.570000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ff6bf46f5d8662048ca7a1",
"name": "symcd.com \u2022 Netify.ai",
"description": "Seen in multiple attacks including CrowdStrike\nincident that was truly a breach found and reported prior to outage. SYCMD..com\nis consistently removed / deleted from pulses.\n\nI have nothing to say. OTX will pulse this let\u2019s see if anything happens..\n#rootkit? #ai #netify #malware #running_webserver #ottowa #elf #agent #malware #known #network_icmp #nolookup_communication\nantivm_generic_disk #dead host\n#dumped_buffer\n#network_cnc_http\n#network_http\n#allocates_rwx\n#av_detect_china_key #m\n[ELF:Agent-VW\\ [Trj]]\nIDS Detections :\n*GoBrut Service Bruter CnC Activity \n*GoBrut Service Bruter CnC Checkin \n*Generic.Go.Bruteforcer CnC Beacon\neval String.fromCharCode String Which May Be #malicious\nYara Detections:\ncompromised_site_redirector_fromcharcode\nfromCharCode | Yara Detections:\nKnownMaliciousObfuscationPattern\n[External IP Address Lookup via api .ip138 .com]\n[Win.Malware.Softcnapp-6932830-0]\nMultiple malware attack.",
"modified": "2025-11-26T12:00:39.551000",
"created": "2025-10-27T12:56:20.090000",
"tags": [
"present may",
"present jun",
"name servers",
"united",
"status",
"present aug",
"present oct",
"present jul",
"present mar",
"present nov",
"date",
"digicert",
"whois",
"forums",
"symantec",
"comcast",
"levelblue",
"open threat",
"pulse",
"urls",
"as13335",
"info",
"server",
"domain status",
"registrar abuse",
"registrar",
"dnssec",
"domain name",
"us registrant",
"email",
"contact email",
"host name",
"handle",
"rdap database",
"iana registrar",
"present sep",
"canada unknown",
"moved",
"ip address",
"search",
"title",
"encrypt",
"ubuntu",
"linux x8664",
"gobrut service",
"bruter cnc",
"entries",
"show",
"activity",
"stca",
"unknown",
"malware",
"copy",
"next",
"team",
"script urls",
"a domains",
"passive dns",
"gmt server",
"content type",
"body",
"meta",
"for privacy",
"creation date",
"name redacted",
"expiration date",
"servers",
"hostname add",
"pulse pulses",
"13371",
"qq v",
"process32nextw",
"regopenkeyexw",
"medium",
"langchinese",
"get na",
"rticon",
"security",
"high",
"win32",
"write",
"dynamicloader",
"checks",
"alerts",
"bios",
"dynamic",
"total",
"read",
"delete",
"name strings",
"south korea"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Bulgaria",
"Germany",
"Netherlands"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3301,
"email": 9,
"hostname": 1202,
"FileHash-SHA256": 1967,
"domain": 1885,
"FileHash-MD5": 153,
"FileHash-SHA1": 151,
"CVE": 1,
"SSLCertFingerprint": 82,
"FilePath": 1
},
"indicator_count": 8752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b9fd811ffc6684ba25f7",
"name": "Isolated DoD now DoW nodes - emotional commentary",
"description": "*https://www.sentient.industries/\n*trk.b.jackrogersusa.com\n*http://trk.southerntide.com/\nOTX is auto populating this pulse. Let\u2019s see\u2026",
"modified": "2025-11-04T18:01:18.650000",
"created": "2025-10-05T18:33:33.277000",
"tags": [
"united",
"present feb",
"present may",
"aaaa",
"present jul",
"passive dns",
"ip address",
"present dec",
"present sep",
"present jun",
"url https",
"url http",
"type indicator",
"role title",
"added active",
"related pulses",
"germany",
"taiwan",
"netherlands",
"china",
"search",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"sha1",
"ascii text",
"size",
"pattern match",
"mitre att",
"ck id",
"null",
"refresh",
"body",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"indicator role",
"title added",
"active related",
"pulses url",
"ruby",
"jeffrey reimer",
"target",
"tsara",
"information",
"capture",
"gather victim",
"report spam",
"kill targets",
"created",
"starfield",
"show technique",
"date"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1333,
"domain": 355,
"URL": 5874,
"hostname": 1066,
"FileHash-SHA1": 101,
"FileHash-MD5": 88,
"SSLCertFingerprint": 2
},
"indicator_count": 8819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "166 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68cb233ba91aa1eb958b3f31",
"name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder",
"description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
"modified": "2025-10-17T19:03:15.031000",
"created": "2025-09-17T21:08:11.518000",
"tags": [
"script urls",
"meta",
"moved",
"x tec",
"passive dns",
"encrypt",
"america flag",
"san francisco",
"extraction",
"data upload",
"type indicatod",
"united states",
"a domains",
"united",
"gmt server",
"jose",
"university",
"bill",
"rmhs",
"information",
"board",
"lorin",
"joseph",
"all veterans",
"rocky mountain",
"mission",
"vice",
"april",
"school",
"austin",
"prior",
"ipv4 add",
"urls",
"files",
"location united",
"wordpress",
"rmhs meta",
"tags viewport",
"rmhs og",
"rmhs article",
"wpbakery page",
"builder",
"slider plugin",
"google tag",
"mountain human",
"denver",
"connecting",
"denver start",
"relevance home",
"providers",
"contact us",
"rmhs main",
"server",
"redacted tech",
"redacted admin",
"registrar abuse",
"algorithm",
"key identifier",
"x509v3 subject",
"dnssec",
"country",
"ttl value",
"graph summary",
"resolved ips",
"ip address",
"port",
"data",
"screenshots no",
"involved direct",
"country name",
"name response",
"tcp connections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"found",
"spawns",
"t1590 gather",
"path",
"ascii text",
"exif standard",
"tiff image",
"format",
"stop",
"false",
"soldier",
"model",
"youth",
"baby",
"june",
"general",
"local",
"click",
"strings",
"core",
"warrior",
"green",
"emotion",
"flash",
"nina",
"hunk",
"fono",
"daam",
"mitre att",
"ck techniques",
"id name",
"malicious",
"windows nt",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"show process",
"self",
"date",
"comspec",
"hybrid",
"form",
"log id",
"gmtn",
"tls web",
"b2 f6",
"b0n timestamp",
"f9401a",
"record value",
"x wix",
"certificate",
"domain add",
"pulse submit",
"body",
"domain related",
"blackbox",
"apple",
"helix",
"dvrdns",
"tracking",
"remote access",
"ios",
"spyware",
"hoax",
"dynamicloader",
"ptls6",
"medium",
"flashpix",
"high",
"ygjpavclsline",
"officespace",
"chartshared",
"powershell",
"write",
"malware",
"ygjpaulscontext",
"status",
"japan unknown",
"domain",
"pulses",
"search",
"accept",
"apt10",
"trojanspy",
"win32",
"entries",
"susp",
"backdoor",
"useragent",
"showing",
"virtool",
"twitter",
"mozilla",
"trojandropper",
"trojan",
"title",
"onelouder",
"yara det",
"maware samoe",
"genaco x",
"ids detec",
"ids terse",
"win3 data",
"include review",
"exclude sugges",
"targeting",
"show",
"copy",
"reads",
"dynamic",
"vendor finding",
"notes clamav",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"next yara"
],
"references": [
"rmhumanservices.org",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"https://www.mlkfoundation.net/ (Foundry DGA)",
"remotewd.com x 34 devices",
"South Africa based: remote.advisoroffice.com",
"acc.lehigtapp.com - malware",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"chinaeast2.admin.api.powerautomate.cn",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"ssa-gov.authorizeddns",
"hmmm\u2026http://palander.stjernstrom.se/",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
],
"public": 1,
"adversary": "APT 10",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APT 10",
"display_name": "APT 10",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "Andromeda",
"display_name": "Andromeda",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "KoobFace",
"display_name": "KoobFace",
"target": null
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Nivdort Checkin",
"display_name": "Nivdort Checkin",
"target": null
},
{
"id": "Win.Malware.Installcore-6950365-0",
"display_name": "Win.Malware.Installcore-6950365-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1574.006",
"name": "Dynamic Linker Hijacking",
"display_name": "T1574.006 - Dynamic Linker Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Golfing",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 690,
"hostname": 1912,
"URL": 5925,
"FileHash-SHA1": 273,
"email": 8,
"FileHash-SHA256": 3618,
"CIDR": 3,
"FileHash-MD5": 254,
"SSLCertFingerprint": 19,
"CVE": 2
},
"indicator_count": 12704,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "184 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6879093e8658df9f35683846",
"name": "Worm:Win32/Benjamin continues to impact network",
"description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.",
"modified": "2025-08-16T14:00:26.166000",
"created": "2025-07-17T14:31:26.824000",
"tags": [
"include review",
"data upload",
"extraction",
"read c",
"search",
"medium",
"show",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"entries",
"dock",
"write",
"execution",
"capture",
"next",
"copy",
"date",
"aaaa",
"present may",
"present nov",
"passive dns",
"ip address",
"domain",
"status",
"next associated",
"delete",
"iocs",
"failed",
"sc data",
"type",
"extr data",
"included",
"review iocs",
"memcommit",
"user execution",
"module load",
"t1129",
"icmp traffic",
"high",
"collection",
"cmd c",
"t1055",
"enter",
"extract",
"enter sc",
"drop or",
"browse t",
"oprop",
"extraction data",
"enter source",
"url or",
"texorag",
"browse",
"urls",
"dnssec",
"hostname add",
"pulse pulses",
"files",
"files ip",
"domainadmin",
"showing",
"ttl value",
"thumbprint",
"onlv",
"find",
"extri data",
"dran anu",
"extr",
"manually add",
"review exclude",
"sugges",
"find s",
"typ hos",
"se data",
"include data",
"review locs",
"exclude",
"suggested es",
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"worm",
"win32",
"benjamin",
"june",
"delphi",
"malware",
"nids",
"icmp delphi",
"yara detections",
"malware traffic",
"checkin",
"code",
"name servers",
"servers",
"pulses",
"expiration date",
"united",
"body",
"cookie",
"related tags",
"file type",
"pe packer",
"pm size",
"sha1 sha256",
"imphash pehash",
"virustotal api",
"screenshots",
"comments"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 536,
"FileHash-SHA1": 465,
"FileHash-SHA256": 1836,
"domain": 766,
"hostname": 960,
"URL": 2879,
"CVE": 1,
"email": 4
},
"indicator_count": 7447,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "246 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68743733a69ce827f6156f5c",
"name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy",
"description": "",
"modified": "2025-07-13T22:46:11.685000",
"created": "2025-07-13T22:46:11.685000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "279 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6523344e4adc85389899504c",
"name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]",
"description": "",
"modified": "2024-10-13T03:00:28.081000",
"created": "2023-10-08T22:59:26.040000",
"tags": [
"united",
"contacted urls",
"whois record",
"contacted",
"malicious site",
"malware",
"phishing site",
"anonymizer",
"heur",
"control server",
"facebook",
"cobalt strike",
"execution",
"installcore",
"phishing",
"service",
"core",
"metro",
"icmp",
"hacktool",
"download",
"relic",
"monitoring",
"installer",
"steam",
"bank",
"dnspionage",
"crack",
"unsafe",
"ramnit",
"emotet",
"malware site",
"proxy",
"exploit",
"fakealert",
"team",
"redline stealer",
"laplasclipper",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"alexa",
"downloader",
"opencandy",
"generic",
"presenoker",
"maltiverse",
"trojanspy",
"date",
"unknown",
"windir",
"markmonitor",
"name server",
"av detection",
"september",
"default browser",
"guest system",
"hybrid",
"general",
"click",
"strings",
"class",
"critical",
"blacklist",
"union",
"Embarcadero Delphi",
"whois whois",
"referrer",
"ssl certificate",
"communicating",
"resolutions",
"parent parent",
"dropped",
"stealer",
"banker",
"keylogger",
"attack",
"apple",
"detection list",
"ip address",
"netsky",
"firehol proxy",
"noname057",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"FireHol",
"Proxy",
"Pexee",
"Bank of America Corporation Malware Download",
"CVE-2017-11882",
"Alexa SANS Internet Storm Center",
"MCI Verizon Block",
"NaN"
],
"references": [
"http://ww1.tsx.org/_fd",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"remote.telegrafix.com (remote hacking)",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"remote.haverhillcc.com (remote hacking)",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"apple.com. (malicious version/header)",
"https://www.apple.com/sitemap/",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"init.ess.apple.com (remote hacking)",
"applepaydayloans.com",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"https://applepaydayloans.com/",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"https://support.Apple.com/de",
"http://www.Apple.com/quicktime/download",
"http://www.Apple.com/quicktime/download/standalone.html",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"https://www.roseoubleu.fr/panier (phishing)",
"Roksit.net",
"stagelight.pl (malicious/ pattern match)",
"www.jamesbgriffinlaw.com (malicious host)",
"Data Analytics",
"Behavior Pattern Match Analysis",
"45.159.189.105 (Command and Control)",
"http://45.159.189.105/bot/regex (Bot Command)",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TEL:Delphi/Obfuscator",
"display_name": "TEL:Delphi/Obfuscator",
"target": "/malware/TEL:Delphi/Obfuscator"
},
{
"id": "LaplasClipper",
"display_name": "LaplasClipper",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "SLFPER:InstallCore",
"display_name": "SLFPER:InstallCore",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "ALF:Program:OpenCandy:Remnant",
"display_name": "ALF:Program:OpenCandy:Remnant",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "generic.malware",
"display_name": "generic.malware",
"target": null
},
{
"id": "Anonymizer",
"display_name": "Anonymizer",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/Mimikatz",
"display_name": "#HSTR:HackTool:Win32/Mimikatz",
"target": null
},
{
"id": "PWS:MSIL/Steam",
"display_name": "PWS:MSIL/Steam",
"target": "/malware/PWS:MSIL/Steam"
},
{
"id": "Trojan.HTML.Agent",
"display_name": "Trojan.HTML.Agent",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Worm:Win32/Netsky",
"display_name": "Worm:Win32/Netsky",
"target": "/malware/Worm:Win32/Netsky"
},
{
"id": "Sodin Ransomware",
"display_name": "Sodin Ransomware",
"target": null
},
{
"id": "Keyloggers",
"display_name": "Keyloggers",
"target": null
},
{
"id": "Proxy",
"display_name": "Proxy",
"target": null
},
{
"id": "TEL:Trojan:Win32/Emotet",
"display_name": "TEL:Trojan:Win32/Emotet",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
},
{
"id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"target": null
},
{
"id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"target": null
},
{
"id": "AdwareSig [Adw] ml.Generic",
"display_name": "AdwareSig [Adw] ml.Generic",
"target": null
},
{
"id": "W32.Hack.Generic",
"display_name": "W32.Hack.Generic",
"target": null
},
{
"id": "Trojan.Ole2.Vbs",
"display_name": "Trojan.Ole2.Vbs",
"target": null
},
{
"id": "QVM20.1.8D80.Malware",
"display_name": "QVM20.1.8D80.Malware",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Backdoor.Mokes",
"display_name": "Backdoor.Mokes",
"target": null
},
{
"id": "AdWare.DropWare",
"display_name": "AdWare.DropWare",
"target": null
},
{
"id": "Gen:Variant.Razy",
"display_name": "Gen:Variant.Razy",
"target": null
},
{
"id": "Generic.31fcc75f",
"display_name": "Generic.31fcc75f",
"target": null
},
{
"id": "Trojan.Generic",
"display_name": "Trojan.Generic",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "malware.generic",
"display_name": "malware.generic",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "GameHack.DR",
"display_name": "GameHack.DR",
"target": null
},
{
"id": "Dropper.Binder",
"display_name": "Dropper.Binder",
"target": null
},
{
"id": "malicious.22a4c0",
"display_name": "malicious.22a4c0",
"target": null
},
{
"id": "SdBot.CAOC",
"display_name": "SdBot.CAOC",
"target": null
},
{
"id": "ml.Generic",
"display_name": "ml.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Phish.AB",
"display_name": "Phish.AB",
"target": null
},
{
"id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6506b48d699080b4bfd334c5",
"export_count": 74,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7761,
"CVE": 6,
"FileHash-MD5": 285,
"FileHash-SHA1": 165,
"FileHash-SHA256": 5059,
"domain": 987,
"hostname": 2399
},
"indicator_count": 16662,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "553 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "665bb7679843a6dabe4560e3",
"name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?",
"description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.",
"modified": "2024-09-05T06:11:17.325000",
"created": "2024-06-02T00:05:59.160000",
"tags": [
"strong",
"story contact",
"us leadership",
"open menu",
"close menu",
"digital",
"thank",
"us zoom",
"skip",
"content home",
"enterprise",
"contact",
"threat roundup",
"august",
"historical ssl",
"april",
"referrer",
"formbook",
"ip check",
"vt graph",
"relacionada",
"cobalt strike",
"hiddentear",
"life",
"malware",
"open",
"mumblehard",
"sparkrat",
"attack",
"uszoom og",
"submission",
"analysis",
"utc http",
"response final",
"url https",
"ip address",
"status code",
"body length",
"kb body",
"graph api",
"status",
"content type",
"date",
"anchor hrefs",
"hrefs",
"cart contact",
"leadership",
"html info",
"title uszoom",
"meta tags",
"uszoom twitter",
"script tags",
"vhash htm",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"magika cttxt",
"file size",
"united",
"as20940",
"aaaa",
"canada",
"search",
"showing",
"cname",
"as35994 akamai",
"passive dns",
"next",
"as21928",
"unknown",
"urls",
"domain",
"creation date",
"emails",
"ipcounsel",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"files",
"invalid url",
"body",
"name servers",
"akamai",
"expiration date",
"asnone united",
"a nxdomain",
"india",
"as15224 adobe",
"bdclid",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"yara rule",
"high",
"explorer",
"alerts",
"less see",
"contacted",
"service",
"attempts",
"guard",
"url http",
"pulse pulses",
"http",
"related nids",
"files location",
"ip related",
"hostname",
"files ip",
"address domain",
"as46606",
"td td",
"script script",
"gmt path",
"create",
"website",
"set cookie",
"a td",
"win32",
"flash",
"pragma",
"cookie",
"xmpmm",
"png image",
"rgba",
"documentid",
"instanceid",
"creatortool",
"pattern match",
"adobe photoshop",
"macintosh",
"june",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"anomalous_deletefile",
"info_stealer",
"et trojan",
"banload http",
"banload",
"ids detections",
"yara detections",
"bancos variant",
"c2 checkin",
"ntkrnlpacker",
"copy",
"meredrop",
"injection",
"e0e2edee",
"push",
"read",
"write",
"delete",
"entries",
"crlf line",
"anomalous file",
"medium",
"filehash",
"av detections",
"analysis date",
"file score",
"medium risk",
"detections none",
"related pulses",
"apple",
"apple id",
"apple private data collection",
"apple staging",
"t-mobile",
"metroby",
"keylogger"
],
"references": [
"https://uszoom.com/",
"http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm",
"Malicious Score: 10",
"Yara Detections: DotNET_Reactor",
"Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint",
"Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect",
"Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content",
"Alerts: dropper injection_rwx network_dns_doh_tls network_http",
"DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography",
"DotNET_Reactor: System.Security.Cryptography ICryptoTransform",
"High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1",
"High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies",
"Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam",
"https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317",
"https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec",
"Yara Detections stack_string , Armadillov1xxv2xx",
"https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35",
"apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Keylogger.Susppack-9876601-0",
"display_name": "Win.Keylogger.Susppack-9876601-0",
"target": null
},
{
"id": "Win.Trojan.Sdum-9807706-0",
"display_name": "Win.Trojan.Sdum-9807706-0",
"target": null
},
{
"id": "Win32.Meredrop Checkin",
"display_name": "Win32.Meredrop Checkin",
"target": null
},
{
"id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"target": null
},
{
"id": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1048.002",
"name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1102.002",
"name": "Bidirectional Communication",
"display_name": "T1102.002 - Bidirectional Communication"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1434",
"name": "App Delivered via Email Attachment",
"display_name": "T1434 - App Delivered via Email Attachment"
}
],
"industries": [
"Technology",
"Telecommunications",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"email": 8,
"FileHash-MD5": 167,
"FileHash-SHA1": 129,
"FileHash-SHA256": 2008,
"URL": 11241,
"domain": 1853,
"hostname": 4198,
"SSLCertFingerprint": 10,
"CVE": 1
},
"indicator_count": 19615,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "591 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653a092e3e9270a3ccff2aa0",
"name": "Apple iOS compromise. CVE Jar",
"description": "ASpeakSoft iOS iPhone Unlocker v1.0.36 Multilingual Portable.exe\nTargets Tsara Brashears iPhone unlocked, Total command and control. Dumping, remote access, hidden users, privilege escalation, malware spreading, tracking, defacement, libel, harassment. \n\nTarget at eminent risk",
"modified": "2024-08-28T12:01:51.699000",
"created": "2023-10-26T06:37:34.613000",
"tags": [
"apple ios",
"tsara brashears",
"unlocker",
"critical risk",
"cyberstalking",
"elf collection",
"apple phone",
"shell code",
"script",
"spyware",
"hacktool",
"installer",
"banker",
"keylogger",
"name verdict",
"falcon sandbox",
"beginstring",
"sha256",
"sha1",
"runtime process",
"segoe ui",
"internet",
"null",
"size",
"misc attack",
"unknown",
"error",
"span",
"date",
"body",
"refresh",
"class",
"generator",
"critical",
"tools",
"look",
"verify",
"restart",
"hybrid",
"general",
"click",
"strings",
"meta",
"hiddentears",
"PyInstaller",
"ransomware",
"verified",
"et",
"legal entities",
"phishing",
"e-devlet",
"buff achievement tracker",
"cyber warfare",
"malware",
"ransom",
"malware spreader",
"et malware",
"neurevt.a.betabot check in",
"atlassian",
"Tulach malware",
"shell code script",
"TrojanSpy",
"remote access",
"cve",
"collection",
"monitoring",
"cyber threat",
"cyber stalking",
"cybercrime",
"lockbin.1",
"python connection",
"elf",
"redirect",
"watchhers",
"tracking",
"fed",
"us",
"blob",
"vortex",
"Amazon aes",
"spyware",
"banker",
"synaptics",
"fraud service",
"python initiated connection",
"Trojan_Win_Generic_101",
"malware trojan",
"evader",
"contacted",
"execution",
"cobaltstrike",
"hacking_tool",
"trojan",
"cve exploit",
"red team tools",
"fireeye",
"noname057",
"adult content",
"pornographer",
"attack",
"unsafe",
"tulach malware",
"remote attacks",
"Rat"
],
"references": [
"1.116.132.182/weblogic_CVE_2020_2551.jar",
"http://1.116.132.182/.git/HEAD"
],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HiddenTear",
"display_name": "HiddenTear",
"target": null
},
{
"id": "trojan.barys/cobalt",
"display_name": "trojan.barys/cobalt",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1445",
"name": "Abuse of iOS Enterprise App Signing Key",
"display_name": "T1445 - Abuse of iOS Enterprise App Signing Key"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1450",
"name": "Exploit SS7 to Track Device Location",
"display_name": "T1450 - Exploit SS7 to Track Device Location"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 99,
"FileHash-SHA1": 92,
"FileHash-SHA256": 984,
"URL": 2184,
"domain": 274,
"hostname": 782,
"CVE": 10
},
"indicator_count": 4425,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "599 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6694bb9be1b61bf820500004",
"name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet",
"description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.",
"modified": "2024-08-14T05:03:59.815000",
"created": "2024-07-15T06:03:07.423000",
"tags": [
"historical ssl",
"referrer",
"december",
"sneaky server",
"replacement",
"unauthorized",
"high level",
"hackers",
"highly targeted",
"cyber attack",
"emotet",
"critical",
"copy",
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"pragma",
"form",
"hope",
"karma",
"learn",
"suspicious",
"flag",
"pe resource",
"synaptics",
"apeaksoft ios",
"hiddentear",
"urls",
"domains",
"contacted",
"markmonitor",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"youtube bot",
"rar jays",
"mozilla firefox",
"twitch",
"samplename",
"rar youtube",
"zip youtube",
"social bots",
"files",
"file type",
"kb file",
"b file",
"graph",
"get https",
"msie",
"windows nt",
"win64",
"slcc2",
"media center",
"request",
"gmt server",
"referer https",
"amd64 accept",
"accept",
"code",
"rwx memory",
"managed code",
"calls unmanaged",
"native",
"often seen",
"base64 encrypt",
"trojan",
"tsara brashears",
"red team hacking",
"process32nextw",
"regsetvalueexa",
"regdword",
"high",
"medium",
"objects",
"regbinary",
"module load",
"t1129",
"t1060",
"crash",
"dock",
"persistence",
"execution",
"okhfjrtblzo",
"ip check",
"windows",
"http host",
"controlservice",
"domain",
"registry",
"tools",
"service",
"worm",
"malware",
"win32",
"bits",
"read c",
"intel",
"ms windows",
"pe32",
"search",
"type read",
"show",
"wow64",
"stop",
"write",
"unknown",
"waiting",
"push",
"next",
"asnone united",
"aaaa",
"united kingdom",
"as20738 host",
"moved",
"passive dns",
"default",
"delete c",
"pe32 executable",
"document file",
"v2 document",
"floodfix",
"floxif",
"name servers",
"susp",
"showing",
"as55286",
"scan endpoints",
"all scoreblue",
"ransom",
"amadey",
"songculture",
"spreader",
"tracey richter",
"roberts",
"michael roberts",
"jays",
"sabey",
"rexxfield",
"darklivity"
],
"references": [
"https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe",
"https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details",
"Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042",
"Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze",
"https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"http://freedns.afraid.org/subdomain/edit.php?data_id=21091713",
"Ransom: message.htm.com",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception",
"Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata",
"Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create",
"Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan",
"https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd",
"Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf",
"https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1",
"FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H",
"IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser",
"Alerts: stealth_windowcreates_exe suspicious_process exe_appdata",
"http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]",
"https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg",
"https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]",
"Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)",
"https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor.Xtreme",
"display_name": "Backdoor.Xtreme",
"target": null
},
{
"id": "W32.AIDetectMalware.CS",
"display_name": "W32.AIDetectMalware.CS",
"target": null
},
{
"id": "Win.Virus.Pioneer-9111434-0",
"display_name": "Win.Virus.Pioneer-9111434-0",
"target": null
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Win32:Renos-KY\\ [Trj]",
"display_name": "Win32:Renos-KY\\ [Trj]",
"target": null
},
{
"id": ", Win.Worm.Pykspa-6057105-0",
"display_name": ", Win.Worm.Pykspa-6057105-0",
"target": null
},
{
"id": "Worm:Win32/Pykspa.C",
"display_name": "Worm:Win32/Pykspa.C",
"target": "/malware/Worm:Win32/Pykspa.C"
},
{
"id": "PUP/Hacktool",
"display_name": "PUP/Hacktool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 439,
"FileHash-SHA1": 386,
"FileHash-SHA256": 2320,
"URL": 1873,
"domain": 478,
"hostname": 839,
"SSLCertFingerprint": 9,
"email": 7
},
"indicator_count": 6351,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "613 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e0ffb31d4881f3238713",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)",
"modified": "2024-08-05T04:01:42.283000",
"created": "2024-07-06T06:15:27.994000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 89,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "622 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e142f0c8f5ddecbc788c",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)",
"modified": "2024-08-05T04:01:42.283000",
"created": "2024-07-06T06:16:34.388000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 94,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "622 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e15588a794b95443b46d",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated",
"modified": "2024-08-05T02:03:31.529000",
"created": "2024-07-06T06:16:53.461000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"file size",
"b file",
"detections file",
"gzip chrome",
"cache entry",
"graph",
"ip detections",
"country",
"domains",
"internet domain",
"service bs",
"corp",
"namecheap inc",
"csc corporate",
"tucows",
"epik llc",
"tucows domains"
],
"references": [
"https://www.searchw3.com/",
"IP\u2019s Contacted: 192.124.249.187",
"Ransomware: message.htm.com",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 73,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3731,
"URL": 11926,
"hostname": 4626,
"domain": 4135,
"FileHash-MD5": 1530,
"FileHash-SHA1": 762,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 26747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "622 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6681f6738d3aa876f83738d0",
"name": "USZoom [New York , USA] | iPostal1",
"description": "",
"modified": "2024-07-01T23:00:42.052000",
"created": "2024-07-01T00:21:07.491000",
"tags": [
"strong",
"story contact",
"us leadership",
"open menu",
"close menu",
"digital",
"thank",
"us zoom",
"skip",
"content home",
"enterprise",
"contact",
"threat roundup",
"august",
"historical ssl",
"april",
"referrer",
"formbook",
"ip check",
"vt graph",
"relacionada",
"cobalt strike",
"hiddentear",
"life",
"malware",
"open",
"mumblehard",
"sparkrat",
"attack",
"uszoom og",
"submission",
"analysis",
"utc http",
"response final",
"url https",
"ip address",
"status code",
"body length",
"kb body",
"graph api",
"status",
"content type",
"date",
"anchor hrefs",
"hrefs",
"cart contact",
"leadership",
"html info",
"title uszoom",
"meta tags",
"uszoom twitter",
"script tags",
"vhash htm",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"magika cttxt",
"file size",
"united",
"as20940",
"aaaa",
"canada",
"search",
"showing",
"cname",
"as35994 akamai",
"passive dns",
"next",
"as21928",
"unknown",
"urls",
"domain",
"creation date",
"emails",
"ipcounsel",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"files",
"invalid url",
"body",
"name servers",
"akamai",
"expiration date",
"asnone united",
"a nxdomain",
"india",
"as15224 adobe",
"bdclid",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"yara rule",
"high",
"explorer",
"alerts",
"less see",
"contacted",
"service",
"attempts",
"guard",
"url http",
"pulse pulses",
"http",
"related nids",
"files location",
"ip related",
"hostname",
"files ip",
"address domain",
"as46606",
"td td",
"script script",
"gmt path",
"create",
"website",
"set cookie",
"a td",
"win32",
"flash",
"pragma",
"cookie",
"xmpmm",
"png image",
"rgba",
"documentid",
"instanceid",
"creatortool",
"pattern match",
"adobe photoshop",
"macintosh",
"june",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"anomalous_deletefile",
"info_stealer",
"et trojan",
"banload http",
"banload",
"ids detections",
"yara detections",
"bancos variant",
"c2 checkin",
"ntkrnlpacker",
"copy",
"meredrop",
"injection",
"e0e2edee",
"push",
"read",
"write",
"delete",
"entries",
"crlf line",
"anomalous file",
"medium",
"filehash",
"av detections",
"analysis date",
"file score",
"medium risk",
"detections none",
"related pulses",
"apple",
"apple id",
"apple private data collection",
"apple staging",
"t-mobile",
"metroby",
"keylogger"
],
"references": [
"https://uszoom.com/",
"http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm",
"Malicious Score: 10",
"Yara Detections: DotNET_Reactor",
"Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint",
"Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect",
"Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content",
"Alerts: dropper injection_rwx network_dns_doh_tls network_http",
"DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography",
"DotNET_Reactor: System.Security.Cryptography ICryptoTransform",
"High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1",
"High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies",
"Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam",
"https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317",
"https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec",
"Yara Detections stack_string , Armadillov1xxv2xx",
"https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35",
"apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Keylogger.Susppack-9876601-0",
"display_name": "Win.Keylogger.Susppack-9876601-0",
"target": null
},
{
"id": "Win.Trojan.Sdum-9807706-0",
"display_name": "Win.Trojan.Sdum-9807706-0",
"target": null
},
{
"id": "Win32.Meredrop Checkin",
"display_name": "Win32.Meredrop Checkin",
"target": null
},
{
"id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"target": null
},
{
"id": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1048.002",
"name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1102.002",
"name": "Bidirectional Communication",
"display_name": "T1102.002 - Bidirectional Communication"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1434",
"name": "App Delivered via Email Attachment",
"display_name": "T1434 - App Delivered via Email Attachment"
}
],
"industries": [
"Technology",
"Telecommunications",
"Civil Society"
],
"TLP": "green",
"cloned_from": "665bb7679843a6dabe4560e3",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"email": 8,
"FileHash-MD5": 167,
"FileHash-SHA1": 129,
"FileHash-SHA256": 1890,
"URL": 10360,
"domain": 1799,
"hostname": 3994,
"SSLCertFingerprint": 10,
"CVE": 1
},
"indicator_count": 18358,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "656 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b85faa9b8e3e1206d7f25c",
"name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ",
"description": "",
"modified": "2024-06-15T04:39:29.943000",
"created": "2024-01-30T02:32:10.210000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "659719b77c383c73c05208a9",
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3503,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "673 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65f55ed2015e05ffbc2b72a8",
"name": "Control Server | Browser Install| Kernel Modules and Extensions",
"description": "",
"modified": "2024-04-15T08:03:32.381000",
"created": "2024-03-16T08:56:50.387000",
"tags": [
"hostname",
"sort",
"domain",
"type",
"hostname c",
"all octoseek",
"groups",
"search filter",
"time",
"x show",
"indicator type",
"cidr",
"for privacy",
"unknown",
"united",
"link",
"search",
"servers",
"strapi app",
"passive dns",
"urls",
"date",
"body",
"meta",
"span",
"next",
"octoseek",
"url https",
"url http",
"role title",
"added active",
"execution",
"ssl certificate",
"whois record",
"contacted",
"pe resource",
"bundled",
"historical ssl",
"referrer",
"communicating",
"collections",
"status",
"emails",
"creation date",
"record value",
"expiration date",
"showing",
"threat analyzer",
"threat",
"iocs",
"hostnames",
"urls https",
"samples",
"firehol",
"proxy",
"detection list",
"ip address",
"blacklist",
"malicious url",
"anonymizer",
"botnet command",
"malware",
"generic malware",
"count blacklist",
"no data",
"tag count",
"detection",
"count",
"generic",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"safe site",
"malware site",
"alexa top",
"million",
"filerepmetagen",
"filerepmalware",
"artemis",
"presenoker",
"unsafe",
"riskware",
"crack",
"opencandy",
"downloader",
"coinminer",
"installpack",
"agent",
"fusioncore",
"conduit",
"wacatac",
"zbot",
"cl0p",
"maltiverse",
"trojanspy",
"engb",
"emotet",
"cyberwar",
"ursnif",
"attack",
"hacktool",
"ransomexx",
"startpage",
"bitrat",
"ryuk",
"agent tesla",
"stealer",
"critical",
"copy",
"evilnum",
"threat report",
"back",
"ip summary",
"url summary",
"summary",
"download csv",
"download",
"json sample",
"malicious site",
"phishing site",
"iframe",
"domaiq",
"alexa",
"downldr",
"phishing",
"cyber threat",
"control server",
"team",
"installcore",
"mirai",
"pony",
"nanocore",
"bradesco",
"cobalt strike",
"bank",
"name verdict",
"falcon sandbox",
"reports",
"falcon",
"traffic et",
"policy windows",
"update p2p",
"activity",
"windir",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"hybrid",
"general",
"path",
"click",
"strings",
"contact",
"paste",
"win32",
"gmt content",
"scan endpoints",
"ipv4",
"pulse pulses",
"files",
"accept",
"date hash",
"avast avg",
"entries",
"as15169 google",
"aaaa",
"ireland unknown",
"germany unknown",
"as43350 nforce"
],
"references": [
"https://api.wavebrowserbase.com",
"Ransom: message.htm.com",
"ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX",
"Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5",
"Ryuk: http://kramtechnology.com/",
"Ryuk: kramtechnology.com",
"Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif",
"Botnet Server IP: 141.226.230.48",
"newrelic.se"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"Germany"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1584.004",
"name": "Server",
"display_name": "T1584.004 - Server"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1547.006",
"name": "Kernel Modules and Extensions",
"display_name": "T1547.006 - Kernel Modules and Extensions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 9838,
"domain": 2085,
"hostname": 3006,
"FileHash-SHA256": 3685,
"FileHash-MD5": 965,
"FileHash-SHA1": 532,
"email": 6,
"CVE": 7
},
"indicator_count": 20124,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "734 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65f980471600645142bcd924",
"name": "Control Server | Browser Install| Kernel Modules and Extensions ",
"description": "",
"modified": "2024-04-15T08:03:32.381000",
"created": "2024-03-19T12:08:39.100000",
"tags": [
"hostname",
"sort",
"domain",
"type",
"hostname c",
"all octoseek",
"groups",
"search filter",
"time",
"x show",
"indicator type",
"cidr",
"for privacy",
"unknown",
"united",
"link",
"search",
"servers",
"strapi app",
"passive dns",
"urls",
"date",
"body",
"meta",
"span",
"next",
"octoseek",
"url https",
"url http",
"role title",
"added active",
"execution",
"ssl certificate",
"whois record",
"contacted",
"pe resource",
"bundled",
"historical ssl",
"referrer",
"communicating",
"collections",
"status",
"emails",
"creation date",
"record value",
"expiration date",
"showing",
"threat analyzer",
"threat",
"iocs",
"hostnames",
"urls https",
"samples",
"firehol",
"proxy",
"detection list",
"ip address",
"blacklist",
"malicious url",
"anonymizer",
"botnet command",
"malware",
"generic malware",
"count blacklist",
"no data",
"tag count",
"detection",
"count",
"generic",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"safe site",
"malware site",
"alexa top",
"million",
"filerepmetagen",
"filerepmalware",
"artemis",
"presenoker",
"unsafe",
"riskware",
"crack",
"opencandy",
"downloader",
"coinminer",
"installpack",
"agent",
"fusioncore",
"conduit",
"wacatac",
"zbot",
"cl0p",
"maltiverse",
"trojanspy",
"engb",
"emotet",
"cyberwar",
"ursnif",
"attack",
"hacktool",
"ransomexx",
"startpage",
"bitrat",
"ryuk",
"agent tesla",
"stealer",
"critical",
"copy",
"evilnum",
"threat report",
"back",
"ip summary",
"url summary",
"summary",
"download csv",
"download",
"json sample",
"malicious site",
"phishing site",
"iframe",
"domaiq",
"alexa",
"downldr",
"phishing",
"cyber threat",
"control server",
"team",
"installcore",
"mirai",
"pony",
"nanocore",
"bradesco",
"cobalt strike",
"bank",
"name verdict",
"falcon sandbox",
"reports",
"falcon",
"traffic et",
"policy windows",
"update p2p",
"activity",
"windir",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"hybrid",
"general",
"path",
"click",
"strings",
"contact",
"paste",
"win32",
"gmt content",
"scan endpoints",
"ipv4",
"pulse pulses",
"files",
"accept",
"date hash",
"avast avg",
"entries",
"as15169 google",
"aaaa",
"ireland unknown",
"germany unknown",
"as43350 nforce"
],
"references": [
"https://api.wavebrowserbase.com",
"Ransom: message.htm.com",
"ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX",
"Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5",
"Ryuk: http://kramtechnology.com/",
"Ryuk: kramtechnology.com",
"Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif",
"Botnet Server IP: 141.226.230.48",
"newrelic.se"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands",
"Germany"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1584.004",
"name": "Server",
"display_name": "T1584.004 - Server"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1547.006",
"name": "Kernel Modules and Extensions",
"display_name": "T1547.006 - Kernel Modules and Extensions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65f55ed2015e05ffbc2b72a8",
"export_count": 186943,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 9838,
"domain": 2085,
"hostname": 3006,
"FileHash-SHA256": 3685,
"FileHash-MD5": 965,
"FileHash-SHA1": 532,
"email": 6,
"CVE": 7
},
"indicator_count": 20124,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "734 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65d053a935bf99f5263deb57",
"name": "History Killer Pro Injection deleting virustotal & otx.alienvault Pulses",
"description": "History killer pro, is being used to delete and modify virustotal nodes and 41 otx.alienvault pulses. Junk data is being used to fill in missing pulses.\nTargeted: 1 callmeDoris several scoreblue (sometimes I clone pulses) Octoseek. \npulses.\nHallrender, Metro by T-Mobile, https://myaccount.uscis.gov/, Esurance, 40 pule reports are regarding Tsara Brashears cyber bully campaign which attacked the corporates mentioned except 2 AIG and Hallrender attackers. 100's of other modifications, deletions by another tool affecting several users.",
"modified": "2024-03-18T04:01:27.756000",
"created": "2024-02-17T06:35:21.666000",
"tags": [
"contacted",
"execution",
"january",
"september",
"whois record",
"resolutions",
"communicating",
"roundup",
"highly targeted",
"phishing",
"quasar",
"malware",
"open",
"threat roundup",
"referrer",
"remote",
"kimsuky",
"passive dns",
"urls",
"dive domains",
"creation date",
"search",
"record value",
"date",
"united",
"scan endpoints",
"all scoreblue",
"unknown",
"body",
"brian sabey",
"hall render",
"reinsurance",
"state",
"danger",
"threat",
"critical",
"crypthashdata",
"read c",
"tcmiheijkmutcix",
"entries",
"show",
"t1055",
"intel",
"ms windows",
"delphi",
"win32",
"copy",
"write",
"injection",
"zusy",
"neojit",
"cyber stalking",
"worker",
"inject",
"illegal",
"tampering",
"hijacker",
"delete",
"ret hat",
"stalker",
"shadow",
"quasi"
],
"references": [
"www.historykillerpro.com",
"https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com",
"http://sniper.debugger.ru",
"Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7",
"Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7",
"M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Variant.Zusy.572 Checkin",
"display_name": "Variant.Zusy.572 Checkin",
"target": null
},
{
"id": "TrojanDownloader:Win32/Neojit.A",
"display_name": "TrojanDownloader:Win32/Neojit.A",
"target": "/malware/TrojanDownloader:Win32/Neojit.A"
},
{
"id": "Win32:Delf-SES\\ [Trj]",
"display_name": "Win32:Delf-SES\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Agent-1372316",
"display_name": "Win.Trojan.Agent-1372316",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1915,
"FileHash-MD5": 437,
"FileHash-SHA1": 435,
"FileHash-SHA256": 3054,
"domain": 987,
"URL": 5902,
"email": 1,
"CVE": 1
},
"indicator_count": 12732,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "762 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65d0a9c7f1b04296d9b0d803",
"name": "History Killer Pro Injection deleting VirusTotal & OTX.AlienVault Pulses",
"description": "",
"modified": "2024-03-18T04:01:27.756000",
"created": "2024-02-17T12:42:47.334000",
"tags": [
"contacted",
"execution",
"january",
"september",
"whois record",
"resolutions",
"communicating",
"roundup",
"highly targeted",
"phishing",
"quasar",
"malware",
"open",
"threat roundup",
"referrer",
"remote",
"kimsuky",
"passive dns",
"urls",
"dive domains",
"creation date",
"search",
"record value",
"date",
"united",
"scan endpoints",
"all scoreblue",
"unknown",
"body",
"brian sabey",
"hall render",
"reinsurance",
"state",
"danger",
"threat",
"critical",
"crypthashdata",
"read c",
"tcmiheijkmutcix",
"entries",
"show",
"t1055",
"intel",
"ms windows",
"delphi",
"win32",
"copy",
"write",
"injection",
"zusy",
"neojit",
"cyber stalking",
"worker",
"inject",
"illegal",
"tampering",
"hijacker",
"delete",
"ret hat",
"stalker",
"shadow",
"quasi"
],
"references": [
"www.historykillerpro.com",
"https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com",
"http://sniper.debugger.ru",
"Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7",
"Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7",
"M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Variant.Zusy.572 Checkin",
"display_name": "Variant.Zusy.572 Checkin",
"target": null
},
{
"id": "TrojanDownloader:Win32/Neojit.A",
"display_name": "TrojanDownloader:Win32/Neojit.A",
"target": "/malware/TrojanDownloader:Win32/Neojit.A"
},
{
"id": "Win32:Delf-SES\\ [Trj]",
"display_name": "Win32:Delf-SES\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Agent-1372316",
"display_name": "Win.Trojan.Agent-1372316",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65d053a935bf99f5263deb57",
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1915,
"FileHash-MD5": 437,
"FileHash-SHA1": 435,
"FileHash-SHA256": 3054,
"domain": 987,
"URL": 5902,
"email": 1,
"CVE": 1
},
"indicator_count": 12732,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "762 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65caca061fbb7674de86ec7b",
"name": "Invicta Stealer",
"description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com",
"modified": "2024-03-14T01:01:47.115000",
"created": "2024-02-13T01:46:46.969000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"communicating",
"whois whois",
"subdomains",
"referrer",
"problems",
"core",
"startpage",
"june",
"passive dns",
"urls",
"domain",
"otx telemetry",
"body",
"gmt content",
"x adblock",
"scan endpoints",
"all octoseek",
"hostname",
"date",
"encrypt",
"threat roundup",
"october",
"november",
"march",
"february",
"apple ios",
"april",
"tsara brashears",
"copy",
"hacktool",
"phishing",
"metro",
"crypto",
"installer",
"awful",
"united",
"unknown",
"germany unknown",
"search",
"servers",
"registrar",
"name servers",
"status",
"next",
"moved",
"address",
"creation date",
"showing",
"ipv4",
"pulse submit",
"url analysis",
"accept",
"aaaa",
"record type",
"ttl value",
"html document",
"ascii text",
"anchor hrefs",
"hrefs",
"anchor",
"anchor href",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"url https",
"sample",
"server",
"code",
"registry domain",
"dnssec",
"registrar url",
"registrar whois",
"iana id",
"registrar abuse",
"tech email",
"fake update",
"utilizes new",
"idat loader",
"stealc",
"urls http",
"isadultno",
"adposbottom",
"adformatplain",
"adnetworks",
"quasar rat",
"ip detections",
"country",
"cellbrite",
"execution",
"pegasus",
"malware",
"agent tesla",
"attack",
"ukraine",
"silent",
"invicta stealer",
"redline stealer",
"orcus rat",
"files",
"germany asn",
"as196763",
"a domains",
"redacted for",
"record value",
"for privacy",
"emails",
"name",
"contacted urls",
"bundled",
"de indicators",
"domains",
"hashes",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"pulse pulses",
"location united",
"open",
"cookie",
"customer",
"0 report",
"sea alt",
"certificate",
"#targeting",
"#discordwallets",
"house.mo.gov"
],
"references": [
"https://www.facebooksunglassshop.com/",
"CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
"https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
"Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
"apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
"http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
"all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
"http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
"Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
"Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
"https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
"edgedl.me.gvt1.com",
"Link found in https://house.mo.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Invicta Stealer",
"display_name": "Invicta Stealer",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Orcus RAT",
"display_name": "Orcus RAT",
"target": null
},
{
"id": "Silent",
"display_name": "Silent",
"target": null
}
],
"attack_ids": [],
"industries": [
"Government",
"Civil Society",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 65,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 145,
"FileHash-SHA256": 3848,
"CVE": 3,
"URL": 8291,
"domain": 2541,
"hostname": 3034,
"email": 13
},
"indicator_count": 18028,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65c68bc8b8745068608cc50d",
"name": "Metasploit | Ransomware | PinterestPots - Pin.it",
"description": "",
"modified": "2024-03-10T20:03:45.513000",
"created": "2024-02-09T20:32:08.358000",
"tags": [
"whois record",
"contacted",
"tsara brashears",
"ssl certificate",
"apple ios",
"unlocker",
"historical ssl",
"referrer",
"highly targeted",
"critical risk",
"hacktool",
"malicious",
"cobalt strike",
"metasploit",
"installer",
"malware",
"awful",
"android",
"banker",
"keylogger",
"jeffrey reimer",
"emreimer",
"emily reimer goldstien",
"eva lisa",
"eva lisa reimer",
"status code",
"http response",
"ieedge date",
"maxage86400",
"path",
"httponly xcdn",
"connection",
"vary useragent",
"targeting brashears",
"communicating",
"whois whois",
"collections",
"password",
"adult content",
"core",
"metro",
"apple",
"copy",
"suspicious",
"vj99",
"threat",
"slfrd1",
"paste",
"iocs",
"analyze",
"hostnames",
"urls http",
"jid1221717543",
"slc1",
"a domains",
"united",
"search",
"date",
"as15169 google",
"passive dns",
"urls",
"record value",
"name servers",
"status",
"encrypt",
"win32",
"next",
"msie",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse submit",
"url analysis",
"body",
"domain",
"unknown",
"china unknown",
"pulse pulses",
"files",
"ip address",
"servers",
"domain name",
"showing",
"as54113",
"as16625 akamai",
"as20940",
"aaaa",
"cname",
"as396982 google",
"as14061",
"script domains",
"hostname",
"japan unknown",
"gmt content",
"gmt etag",
"pragma",
"accept",
"location japan",
"asn as131965",
"less",
"pulses",
"related tags",
"meta",
"asn as13335",
"443 ma2592000",
"certificate",
"germany unknown",
"script urls",
"link",
"code",
"moved",
"russia unknown",
"as51659 llc",
"as12616 filanc",
"welcome",
"uhttps",
"urls https",
"ccb455304",
"ccb455307",
"vj93",
"uyebaauqaaaaaac",
"malvertizing",
"tagging",
"prefetch8",
"script",
"prefetch1",
"command decode",
"segoe ui",
"suricata ipv4",
"emoji",
"mitre att",
"suricata udpv4",
"roboto",
"courier",
"february",
"hybrid",
"general",
"model",
"comspec",
"click",
"strings"
],
"references": [
"https://gr.pinterest.com/emreimer/",
"Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.",
"message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc",
"http://neurosky.jp",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex",
"http://alohatube.xyz/search/tsara-brashears",
"facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]",
"alohatube.xyz [keylogger aimed at Tsara Brashears]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"http://alohatube.xyz/search/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashears",
"https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+",
"https://www.sweetheartvideo.com/tsara-brashears/",
"manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca",
"https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]",
"CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34",
"http://www.proxydocker.com/ja/proxy/43.229.135.125:8080",
"https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"www.pornhub.com",
"http://www.pinterest.com/ideas/songwriting/945635263947/",
"https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0",
"webdisk.thehomemakers.nl",
"http://connectivitycheck.gstatic.com/generate_204 [RAT]",
"http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]",
"https://gujarati.ent24x7.comb [RAT]",
"http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb",
"https://tulach.cc/socrative/internal.js",
"http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6",
"https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com",
"162.159.208.8"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Trojan:VBS/MetasploitVBSCmdStager",
"display_name": "Trojan:VBS/MetasploitVBSCmdStager",
"target": "/malware/Trojan:VBS/MetasploitVBSCmdStager"
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3412,
"FileHash-MD5": 194,
"FileHash-SHA1": 159,
"FileHash-SHA256": 2223,
"domain": 2117,
"hostname": 1763,
"CVE": 2,
"email": 5
},
"indicator_count": 9875,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "770 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a59fe40c1e4412af5b5710",
"name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University",
"description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.",
"modified": "2024-02-14T19:00:40.517000",
"created": "2024-01-15T21:13:08.734000",
"tags": [
"present jun",
"scan endpoints",
"all octoseek",
"ipv4",
"passive dns",
"urls",
"files",
"reverse dns",
"pittsburgh",
"united",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"networm",
"win32",
"whois record",
"ssl certificate",
"threat roundup",
"july",
"communicating",
"whois whois",
"referrer",
"contacted",
"attack",
"execution",
"malware",
"august",
"copy",
"april",
"qakbot",
"ursnif",
"azorult",
"hacktool",
"metro",
"banker",
"keylogger",
"malicious",
"february",
"mydoom-90",
"worm",
"cmu server",
"caltech.edu",
"gmail",
"google attack",
"google playstore",
"chrome",
"targeting",
"carnegie mellon university",
"algorithm",
"v3 serial",
"number",
"issuer",
"cus cnincommon",
"rsa server",
"ca lann",
"stmi ouincommon",
"validity",
"key algorithm",
"info",
"first",
"carnegie mellon",
"server",
"domain name",
"domain record",
"domain",
"city",
"orgid",
"rtechhandle",
"net128",
"net1280000",
"error",
"dns replication",
"date",
"win32 exe",
"winamp",
"detections type",
"name"
],
"references": [
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a",
"128.2.42.10 'CMU' Carnegie Mellon University Server",
"caltech.edu | Carnegie Mellon University",
"https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a",
"https://otx.alienvault.com/indicator/ip/142.250.69.206",
"CVE-2022-26134",
"http://matfyz.cz/ | phishing",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]",
"http://alohatube.xyz/search/tsara-brashears/ [BotNet]",
"alohatube.xyz",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"www.studentaffairs.cmu.edu",
"3.0.8.6 Carnegie Mellon University [cmu.edu projects]",
"http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]",
"googlepassword.cmu.edu",
"google.cmu.edu.",
"https://otx.alienvault.com/indicator/hostname/ww.google.com.uy"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1588.004",
"name": "Digital Certificates",
"display_name": "T1588.004 - Digital Certificates"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 82,
"FileHash-SHA1": 78,
"FileHash-SHA256": 1270,
"URL": 1188,
"domain": 242,
"hostname": 684,
"CVE": 2,
"CIDR": 1,
"email": 2
},
"indicator_count": 3549,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "795 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659719b77c383c73c05208a9",
"name": "Content Reputation | ET | Botnet | Targeting",
"description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"modified": "2024-02-03T19:04:07.916000",
"created": "2024-01-04T20:48:55.431000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3501,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a7e6e042a968005f7a5552",
"name": "Content Reputation | ET | Botnet | Targeting",
"description": "",
"modified": "2024-02-03T19:04:07.916000",
"created": "2024-01-17T14:40:32.084000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "659719b77c383c73c05208a9",
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3501,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65bc13594cf21dbe00b94807",
"name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"description": "",
"modified": "2024-02-03T19:04:07.916000",
"created": "2024-02-01T21:55:37.581000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65b85faa9b8e3e1206d7f25c",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3501,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658a2b6cfdcfeec5db5f31a1",
"name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes",
"description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.",
"modified": "2024-01-25T01:03:33.919000",
"created": "2023-12-26T01:25:00.119000",
"tags": [
"Ghost RAT",
"WebToolbar",
"Nanocore RAT",
"GameHack",
"Cobalt Strike",
"RedlineStealer",
"HallGrand",
"InstallCore",
"InstallBrain",
"Emotet",
"Tofsee",
"InMortal",
"Bradesco",
"Agent Tesla",
"Mitre",
"Pyscpa",
"TrojanSpy",
"SuppoBox",
"Occamy",
"DNSPIONAGE",
"Stealer",
"Password",
"Apple",
"Retail",
"Cherry Creek Colorado",
"Bot Networks",
"Ghost RAT",
"Networm"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 33,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7996,
"FileHash-SHA1": 3921,
"FileHash-SHA256": 5341,
"hostname": 2108,
"domain": 1005,
"URL": 5635,
"CIDR": 2,
"CVE": 21,
"email": 28
},
"indicator_count": 26057,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "815 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658a2b70d4e5f1b1267a5a45",
"name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes",
"description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.",
"modified": "2024-01-25T01:03:33.919000",
"created": "2023-12-26T01:25:04.914000",
"tags": [
"Ghost RAT",
"WebToolbar",
"Nanocore RAT",
"GameHack",
"Cobalt Strike",
"RedlineStealer",
"HallGrand",
"InstallCore",
"InstallBrain",
"Emotet",
"Tofsee",
"InMortal",
"Bradesco",
"Agent Tesla",
"Mitre",
"Pyscpa",
"TrojanSpy",
"SuppoBox",
"Occamy",
"DNSPIONAGE",
"Stealer",
"Password",
"Apple",
"Retail",
"Cherry Creek Colorado",
"Bot Networks",
"Ghost RAT",
"Networm"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7996,
"FileHash-SHA1": 3921,
"FileHash-SHA256": 5341,
"hostname": 2108,
"domain": 1005,
"URL": 5635,
"CIDR": 2,
"CVE": 21,
"email": 28
},
"indicator_count": 26057,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "815 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658ca31a0720e83e8630677d",
"name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process [OctoSeek]",
"description": "",
"modified": "2024-01-25T01:03:33.919000",
"created": "2023-12-27T22:20:10.878000",
"tags": [
"Ghost RAT",
"WebToolbar",
"Nanocore RAT",
"GameHack",
"Cobalt Strike",
"RedlineStealer",
"HallGrand",
"InstallCore",
"InstallBrain",
"Emotet",
"Tofsee",
"InMortal",
"Bradesco",
"Agent Tesla",
"Mitre",
"Pyscpa",
"TrojanSpy",
"SuppoBox",
"Occamy",
"DNSPIONAGE",
"Stealer",
"Password",
"Apple",
"Retail",
"Cherry Creek Colorado",
"Bot Networks",
"Ghost RAT",
"Networm"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "658a2b6cfdcfeec5db5f31a1",
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7996,
"FileHash-SHA1": 3921,
"FileHash-SHA256": 5341,
"hostname": 2108,
"domain": 1005,
"URL": 5635,
"CIDR": 2,
"CVE": 21,
"email": 28
},
"indicator_count": 26057,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "815 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658303b7e2b4417d9e24a7cc",
"name": "Reddit Honeypot | Cyber Defense Firm Attack",
"description": "",
"modified": "2024-01-19T12:02:13.495000",
"created": "2023-12-20T15:09:43.783000",
"tags": [
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"sha1",
"sha256",
"runtime process",
"date",
"unknown",
"error",
"path",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"accept",
"url http",
"filehashmd5",
"url https",
"search otx",
"octoseek report",
"spam author",
"reddit",
"tulach c2",
"created",
"minutes ago",
"added active",
"related pulses",
"am",
"no expiration",
"indicator role",
"pulses url",
"showing",
"entries",
"dded active",
"copyright",
"reserved",
"cve cve20170199",
"win32 exe",
"android",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"headers",
"manager",
"files",
"detections type",
"name",
"lord krishna",
"right",
"tjprojmain",
"windows",
"secure",
"headers nel",
"ssl certificate",
"whois whois",
"historical ssl",
"referrer",
"logistics",
"cyber defense",
"firm collection",
"ioc honeypot",
"list for",
"malware",
"open",
"attack",
"contacted",
"dropped",
"bundled",
"problems",
"whois record",
"domains",
"execution",
"agent tesla",
"azorult",
"project",
"startpage",
"vhash",
"authentihash",
"imphash",
"rich pe",
"ssdeep",
"file type",
"magic pe32",
"installer",
"compiler",
"nsis",
"serial number",
"g4 code",
"signing rsa4096",
"sha384",
"root g4",
"valid from",
"algorithm",
"thumbprint",
"fast corporate",
"from",
"pe resource",
"collection",
"vt graph",
"paulsmith",
"apple tv",
"apple music",
"$RTD4NQU.exe",
"no data",
"tag count",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"iocs",
"summary",
"nisis",
"executable",
"ms windows",
"trid win64",
"generic",
"sections",
"sha256 file",
"type type",
"chi2",
"dkey english",
"xml rtmanifest",
"english us",
"overlay",
"learn",
"botnet",
"honeypot",
"ejkaej saBey k7-^Oa"
],
"references": [
"https://www.reddit.com/user/",
"https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary",
"Gowi Live Bot.exe",
"https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary",
"https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f",
"nr-data.net [New Relic Tracking | Apple Private Data Collection]",
"[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]",
"tv.apple.com [Apple Backdoor| Attack | Hacking]",
"name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]",
"browser.events.data.msn.com | events-sandbox.data.msn.com",
"https://tulach.cc/ [phishing attacks]",
"tulach.cc [AM | phishing]",
"$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy",
"$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC",
"3.163.189.120 [Tracking]",
"86.140.232.148 [scanning_host]",
"https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]",
"http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]",
"checkip.dyndns.org [command_and_control]",
"104.86.182.8 [command_and_control]",
"103.224.182.253 [command_and_control]",
"103.224.182.246 [command_and_control]",
"www.supernetforme.com [command_and_control]",
"rp.downloadastrocdn.com [command_and_control]",
"ddos.dnsnb8.net [command_and_control]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "AM",
"display_name": "AM",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "adware.pcappstore/veryfast",
"display_name": "adware.pcappstore/veryfast",
"target": null
},
{
"id": "NSIS",
"display_name": "NSIS",
"target": null
},
{
"id": "Static AI - Malicious PE",
"display_name": "Static AI - Malicious PE",
"target": null
},
{
"id": "HoneyPot",
"display_name": "HoneyPot",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 392,
"FileHash-SHA1": 374,
"FileHash-SHA256": 5560,
"URL": 7433,
"domain": 1461,
"hostname": 2463,
"CVE": 3,
"email": 1
},
"indicator_count": 17687,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "821 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65a48b6ea16eeb6b54dfad7c",
"name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa | Brian Sabey dangerous obsession with Tsara Brashears",
"description": "",
"modified": "2024-01-15T01:33:34.790000",
"created": "2024-01-15T01:33:34.790000",
"tags": [
"cisco umbrella",
"site",
"alexa top",
"emotet",
"telefonica co",
"million",
"malware",
"detection list",
"blacklist",
"alexa",
"installcore",
"heur",
"cyber threat",
"united",
"phishing",
"engineering",
"phishing site",
"team phishing",
"spammer",
"malicious site",
"team",
"download",
"cobalt strike",
"facebook",
"artemis",
"pony",
"binder",
"suppobox",
"virut",
"ramnit",
"dropper",
"formbook",
"azorult",
"simda",
"downloader",
"service",
"bank",
"zbot",
"trojanspy",
"heodo",
"hostname",
"hostnames",
"whois record",
"kgs0",
"kls0",
"apple ios",
"tsara brashears",
"ssl certificate",
"elf collection",
"cyberstalking",
"spyware",
"hackers",
"installer",
"open",
"banker",
"keylogger",
"malicious",
"hacktool",
"core",
"noname057",
"generic malware",
"safe site",
"malware site",
"iframe",
"riskware",
"exploit",
"fakealert",
"unsafe",
"acint",
"win64",
"nircmd",
"agent",
"opencandy",
"conduit",
"swrort",
"crack",
"installpack",
"xtrat",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"unruy",
"filetour",
"floxif",
"cleaner",
"patcher",
"adload",
"presenoker",
"wacatac",
"fusioncore",
"genkryptik",
"webtoolbar",
"maltiverse",
"smokeloader",
"download json",
"urls",
"blacklist http",
"kyriazhs1975",
"vidar",
"strike",
"china cobalt",
"meterpreter",
"nanocore rat",
"njrat",
"redline stealer",
"stealer",
"nymaim",
"mirai",
"ghost rat",
"runescape",
"bradesco",
"msil",
"bladabindi",
"orkut",
"cutwail",
"bandoo",
"matsnu",
"inmortal",
"domains",
"redline",
"control server",
"services",
"generic",
"br",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"squirrelwaffle",
"soc http",
"soc https",
"back",
"download csv",
"json sample",
"injector",
"malicious url",
"downldr",
"covid19 scam",
"historical ssl",
"referrer",
"contacted",
"whois whois",
"contacted urls",
"whois sslcert",
"threat roundup",
"copy",
"august",
"execution",
"ransomware",
"gopher",
"remcos",
"attack",
"radar ineractive",
"paypal",
"covid19",
"phishing chase",
"phishing google",
"tracker malware",
"chase personal",
"banking",
"javascript",
"please",
"cnc server",
"tracker",
"cnc feodo",
"phishtank",
"threats et",
"name verdict",
"falcon sandbox",
"pattern match",
"file",
"ascii text",
"indicator",
"windows nt",
"jpeg image",
"appdata",
"jfif standard",
"script",
"show",
"date",
"span",
"unknown",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"path",
"http header",
"tcp traffic",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"accept",
"adware",
"ip address",
"hsbc",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"adaptivebee",
"iobit",
"trojanx",
"webshell",
"systweak",
"behav",
"tiggre",
"runtime process",
"sha256",
"sha1",
"mark brian sabey",
"brian sabey",
"sabey",
"apple",
"114.114.114.114",
"attorney",
"law",
"spammer",
"fraud service",
"hallrender",
"malvertizing",
"cybercrime",
"social engineering",
"malware hosting",
"cyber threat",
"iphone unlocker",
"malicious",
"attacker",
"tulach",
"tulach.cc",
"adult content",
"child pornographer",
"sabey data centers",
"hall render denver",
"monitoring",
"stalker",
"dev",
"developer",
"cyber harassment",
"defacement",
"death threats",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"rms",
"sneaky server",
"replacement",
"unauthorized",
"steam route",
"tool",
"probe",
"safebae.org",
"safebae",
"daisy",
"daisy coleman",
"benjamin",
"colorado",
"missouri",
"telefonica",
"boost mobile",
"blackievirus.com",
"TrojanX",
"metro t-mobile",
"t-mobile",
"mile high media",
"CNC",
"C2",
"malware host",
"yixun"
],
"references": [
"https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a",
"https://www.hallrender.com/attorney/brian-sabey",
"safebae.org",
"poemhunter.com",
"http://www.hallrender.com/resources/blog/",
"http://benjamin.xww.de/",
"http://alohatube.xyz/search/tsara-brashears",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Hybrid Analysis",
"wTools",
"Research"
],
"public": 1,
"adversary": "Tulach | Mark Brian Sabey | Hall Render Law Firm",
"targeted_countries": [
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "BR",
"display_name": "BR",
"target": null
},
{
"id": "Radar Ineractive",
"display_name": "Radar Ineractive",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "Feodo Tracker",
"display_name": "Feodo Tracker",
"target": null
},
{
"id": "Wacatac",
"display_name": "Wacatac",
"target": null
},
{
"id": "Zpevdo",
"display_name": "Zpevdo",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "OpenCandy",
"display_name": "OpenCandy",
"target": null
},
{
"id": "xRAT",
"display_name": "xRAT",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "DarkSide .Beware",
"display_name": "DarkSide .Beware",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "SLFPER:BrowserModifier:Win32/MediaMagnet",
"display_name": "SLFPER:BrowserModifier:Win32/MediaMagnet",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Cutwail",
"display_name": "Cutwail",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Occamy",
"display_name": "Occamy",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "IObit",
"display_name": "IObit",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "FORMBOOK",
"display_name": "FORMBOOK",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Yixun",
"display_name": "Yixun",
"target": null
}
],
"attack_ids": [
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "6590f9b6b1fe0330c655c25f",
"export_count": 36,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1643,
"hostname": 1438,
"CVE": 30,
"FileHash-MD5": 2853,
"FileHash-SHA1": 1584,
"FileHash-SHA256": 3001,
"URL": 2904,
"email": 1
},
"indicator_count": 13454,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "825 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657ab025b97f20f31bbfcd70",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-14T07:35:01.537000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 512,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657c03432f4f2997c7d3aff4",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-15T07:41:55.972000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657ab025b97f20f31bbfcd70",
"export_count": 508,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657c045ef15bd06d27da1b08",
"name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-15T07:46:38.664000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657c03432f4f2997c7d3aff4",
"export_count": 508,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658dd341d97d04b0253392d4",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-28T19:57:53.875000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657ab025b97f20f31bbfcd70",
"export_count": 522,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658ef8c00492cc6bdaa8b605",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-29T16:50:08.330000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "658dd341d97d04b0253392d4",
"export_count": 518,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 234,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://metro-tmo.com/",
"Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey",
"Delphi This program must be run under Win32 Compilers",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7",
"3.0.8.6 Carnegie Mellon University [cmu.edu projects]",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"http://connectivitycheck.gstatic.com/generate_204 [RAT]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"remote.haverhillcc.com (remote hacking)",
"Ryuk: kramtechnology.com",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"https://tulach.cc/socrative/internal.js",
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5",
"https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"Christopher P. \u2018Buzz\u2019 Ahmann",
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"http://1.116.132.182/.git/HEAD",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"Alerts: dropper injection_rwx network_dns_doh_tls network_http",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://mincom.gov.bd/dead.php",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"rmhumanservices.org",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"newrelic.se",
"vtbehaviour.commondatastorage.googleapis.com",
"Roksit.net",
"162.159.208.8",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H",
"CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"https://es.pornhat.com/models/the-sex-creator/",
"name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]",
"192.124.249.187",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details",
"Ryuk: http://kramtechnology.com/",
"DotNET_Reactor: System.Security.Cryptography ICryptoTransform",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"http://benjamin.xww.de/",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"Brian Sabey",
"batchpublicrecords.westlaw.com",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"http://alohatube.xyz/search/tsara-brashears/ [BotNet]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"Yara Detections: DotNET_Reactor",
"ddos.dnsnb8.net [command_and_control]",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://alohatube.xyz/search/tsara-brashears",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.sweetheartvideo.com/tsara-brashear",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"http://45.159.189.105/bot/regex (Bot Command)",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"http://matfyz.cz/ | phishing",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)",
"1.116.217.151 [Cobalt Strike]",
"poemhunter.com",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"https://twitter.com/PORNO_SEXYBABES",
"Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"103.224.182.246 [command_and_control]",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"wTools",
"[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]",
"http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
"http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf",
"Ransom: message.htm.com",
"http://ww1.tsx.org/_fd",
"https://www.mlkfoundation.net/ (Foundry DGA)",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:",
"Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"fakecelebporno.com",
"chinaeast2.admin.api.powerautomate.cn",
"103.224.182.253 [command_and_control]",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates",
"tulach.cc",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"http://www.Apple.com/quicktime/download",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"www.studentaffairs.cmu.edu",
"www.supernetforme.com [command_and_control]",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"https://www.colorfulbox.jp/",
"helloprismatic.com",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"https://alohatube.xyz/search/sex-mom-dog-animal",
"Malicious Score: 10",
"http://freedns.afraid.org/subdomain/edit.php?data_id=21091713",
"3.163.189.120 [Tracking]",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"https://www.reddit.com/user/",
"CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"webdisk.thehomemakers.nl",
"remote.telegrafix.com (remote hacking)",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"http://cabinet.gov.bd/dead.php",
"https://polling.portal.gov.bd/js/npc.script.js",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"128.2.42.10 'CMU' Carnegie Mellon University Server",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"www.jamesbgriffinlaw.com (malicious host)",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
"wallpapers-nature.com",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"https://www.vgt.pl/favicon.ico",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]",
"http://www.proxydocker.com/ja/proxy/43.229.135.125:8080",
"45.159.189.105 (Command and Control)",
"https://www.apple.com/sitemap/",
"South Africa based: remote.advisoroffice.com",
"https://otx.alienvault.com/indicator/ip/142.250.69.206",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]",
"https://otx.alienvault.com/indicator/hostname/ww.google.com.uy",
"rp.downloadastrocdn.com [command_and_control]",
"Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"ns3.hallgrandsale.ru",
"https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec",
"Botnet Server IP: 141.226.230.48",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"Data Analytics",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"http://advocate-smyslova.ru/tsara-brashears/",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]",
"http://www.bukaporn.net/trend/tsara-brashears/",
"192.124.249.53:80",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"https://www.xvxx.me/search/tsara-brashears/",
"acc.lehigtapp.com - malware",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.hallrender.com/resources/blog/",
"IP\u2019s Contacted: 192.124.249.187",
"Research",
"High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies",
"browser.events.data.msn.com | events-sandbox.data.msn.com",
"c.oooooooooo.ga (c.apple.com cdn)",
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"https://mom2fuck.mobi/tsara-brashears.html",
"west-sca.duckdns.org",
"hmmm\u2026http://palander.stjernstrom.se/",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://support.Apple.com/de",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available",
"us-west-2.es.amazonaws.com (pslicorp)",
"https://brandyallen.com/2022/11/23/sexy",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com",
"Target agreed and complied with all lie detector measures.",
"https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho",
"Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
"https://meumundogay-com.sexogratis.page/locker",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"caltech.edu | Carnegie Mellon University",
"ssa-gov.authorizeddns",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"alohatube.xyz [keylogger aimed at Tsara Brashears]",
"https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com",
"remotewd.com x 34 devices",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"edgedl.me.gvt1.com",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf",
"hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"www.dead-speak.com",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"www42.jhonisdead.com",
"Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi",
"http://alohatube.xyz/search/tsara-brashears/",
"https://www.facebooksunglassshop.com/",
"https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a",
"https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+",
"Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect",
"Targeting Candace Owens",
"Targeting Tsara Brasheras and associated",
"https://www.myminiweb.com/",
"Alerts: stealth_windowcreates_exe suspicious_process exe_appdata",
"http://www.pinterest.com/ideas/songwriting/945635263947/",
"Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"https://www.searchw3.com/",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"nr-data.net [New Relic Tracking | Apple Private Data Collection]",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"https://polling.portal.gov.bd/js/npop.script.js",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://tulach.cc/ [phishing attacks]",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"Yara Detections stack_string , Armadillov1xxv2xx",
"ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX",
"https://alohatube.xyz/search/tsara-brashearsL",
"https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint",
"alohatube.xyz",
"googlepassword.cmu.edu",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"UrlVoid",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]",
"https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png",
"https://poemhunter.com/tsara-brashears/",
"http://www.tryporn.net/seach/tsara-brashears/",
"Any.run",
"OTX AlienVault",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"batchcourtexpressservicesqa.westlaw.com",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"http://sniper.debugger.ru",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"apple-aqo.com (1 DNSPod.net)",
"tulach.cc [AM | phishing]",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"polling.portal.gov.bd",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"http://alohatube.xyz/search/tsara-brashears",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"https://www.anyxxxtube.net/media/favicon/apple",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://uszoom.com/",
"safebae.org",
"ww.google.com.uy",
"Can the DoD no questions asked target a SA victim",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"http://emrd.gov.bd/dead.php",
"remotewd.com device local",
"CVE-2022-26134",
"https://www.roseoubleu.fr/panier (phishing)",
"Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1",
"applepaydayloans.com",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://youjizz.sex/tsara-brashears.html",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"iamrobert.com Y.A.S.",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca",
"http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
"manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"Hybrid Analysis",
"www.historykillerpro.com",
"init.ess.apple.com (remote hacking)",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"dvd-game-new-releases.info",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan",
"More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"http://watchhers.net/index.php",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"http://45.159.189.105/bot/regex",
"Urlscan",
"http://titasgas.portal.gov.bd/dead.php",
"Behavior Pattern Match Analysis",
"$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy",
"https://gr.pinterest.com/emreimer/",
"https://api.wavebrowserbase.com",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |",
"https://gujarati.ent24x7.comb [RAT]",
"Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP",
"https://www.hallrender.com/attorney/brian-sabey",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://neurosky.jp",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"I am very upset. Whoever is doing this is sick.",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"checkip.dyndns.org [command_and_control]",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"86.140.232.148 [scanning_host]",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"https://hallrender.com/attorney/brian-sabey",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
"Alienvault OTX",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"apple.com. (malicious version/header)",
"stagelight.pl (malicious/ pattern match)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"1.116.132.182/weblogic_CVE_2020_2551.jar",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.Apple.com/quicktime/download/standalone.html",
"https://tulach.cc/",
"tv.apple.com [Apple Backdoor| Attack | Hacking]",
"https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"www.pornhub.com",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
"Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"If someone is believed to be a threat they have right to due process.",
"https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35",
"Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"Amnesty.org | remote.amnesty.org",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"google.cmu.edu.",
"government.westlaw.com",
"Ransomware: message.htm.com",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://palantir-staging.staging.candidate.app.paulsjob.ai/",
"message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"ipv4bot.whatismyipaddress.com",
"https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"https://applepaydayloans.com/",
"Link found in https://house.mo.com",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"http://videolal.com/tsara-brashears-dead.html",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"104.86.182.8 [command_and_control]",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"Data Analysis",
"DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"Gowi Live Bot.exe",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden",
"There is fear in silence or speaking out",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1",
"https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"[Unnamed group]",
"APT 10",
"M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"Tulach | Mark Brian Sabey | Hall Render Law Firm"
],
"malware_families": [
"Kraddare",
"Mimikatz",
"Generic.malware",
"Colbalt strike",
"Invicta stealer",
"Static ai - malicious pe",
"Proxy",
"Alf:program:opencandy:remnant",
"Am",
"Cobalt strike - s0154",
"Tiggre",
"Koobface",
"Qvm20.1.8d80.malware",
"Backdoor:msil/bladabindi",
"Maltiverse",
"Trojan.ransom.generickd",
"Win.malware.installcore-6950365-0",
"Nanocore rat",
"Irata",
"Zeus",
"Trojan:win32/wacatac",
"Anonymizer",
"Win32:delf-ses\\ [trj]",
"Redline",
"Nsis",
"Trojan.barys/cobalt",
"Trojandownloader:o97m/bazaloader",
"Trojanspy:win32/nivdort",
"Honeypot",
"Malware.generic",
"Tofsee",
"Suppobox",
"Opencandy",
"Pegasus",
"Win.virus.pioneer-9111434-0",
"Inmortal",
"Beach research",
"Hsbc",
"Uztuby",
"Wannacry kill switch",
"Nivdort checkin",
"Variant.zusy.572 checkin",
"Agent tesla",
"Ms defender\talf:heraklezeval:trojan:win32/clipbanker",
"W32.aidetectmalware.cs",
"Gamehack.dr",
"Slfper:browsermodifier:win32/mediamagnet",
"Ubot",
"Gen:variant.razy",
"Jaik",
"Cve-2023-2868",
"Worm:win32/benjamin",
"Dropper.binder",
"Apt 10",
"Redline stealer",
"Formbook",
"Virus:dos/metro",
"Swort",
"Win.trojan.sdum-9807706-0",
"Cutwail",
"Pdf.phishing.ttraffrobotinstall-7605656-0",
"Trojan:vbs/metasploitvbscmdstager",
"Alf:heraklezeval:pua:win32/spyrixkeylogger",
"Blacknet rat",
"Ramnit",
"Radar ineractive",
"Redirector",
"Worm:win32/netsky",
"Ransom:win32/gandcrab",
"Other malware",
"Behav",
"China telecom",
"Tel:delphi/obfuscator",
"Worm:win32/pykspa.c",
"Win32.pdf.alien",
"Ml.generic",
"Qbot",
"Artemis",
"Domains",
"Adware.dropware",
"Iobit",
"Worm:win32/autorun",
"Et",
"Skynet",
"Trojan.ole2.vbs",
"Trojan:win32/qshell",
"Trojan:win32/installcore",
"Trojandownloader:win32/neojit.a",
"Azorult",
"Content reputation",
"Slfper:installcore",
"Yixun",
"#lowfi:hstr:trojanspy:win32/bancos",
"Sonbokli",
"Njrat - s0385",
"Virut",
"Squirrelwaffle",
"Andromeda",
"Malware",
"Cl0p",
"Trojan.generic",
"Pony - s0453",
"Vidar",
"Tel:trojan:win32/emotet",
"Hallrender",
"Bazaar loader",
"Hallgrand",
"Mirai",
"Backdoor:win32/outbreak",
"Onelouder",
"Zpevdo",
"Silent",
"Xrat",
"Trojan:win32/tiggre",
"Webtoolbar",
"Ghandi",
"Relic",
"Exploit:win32/cve-2017-0147",
"Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea",
", win.worm.pykspa-6057105-0",
"Emotet",
"Trojan:win32/mydoom",
"Generic",
"Alf:pua:win32/fusioncore",
"Backdoor:win32/zbot",
"Gen:variant.bulz",
"Orcus rat",
"Detplock",
"Network rat",
"Pup/hacktool",
"Hiddentear",
"Njrat",
"Bayrob",
"Invoke-mimikatz",
"Silk road",
"Noname057",
"Trojan.html.agent",
"Gen:variant.zusy",
"Sdbot.caoc",
"Backdoor.xtreme",
"Darkside .beware",
"Win32.meredrop checkin",
"Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat",
"Vitzo",
"Win.trojan.agent-1372316",
"Sality",
"Br",
"Generic.31fcc75f",
"#lowfi:siga:trojanspy:msil/keylogger",
"Systweak",
"Quasar rat",
"Wacatac",
"Occamy",
"Adware.pcappstore/veryfast",
"Nymaim",
"Virus:win32/floxif.h",
"Backdoor.mokes",
"Win32:renos-ky\\ [trj]",
"Win.keylogger.susppack-9876601-0",
"Malicious.22a4c0",
"W32.hack.generic",
"Tulach",
"Feodo tracker",
"Freemake",
"Adwaresig [adw] ml.generic",
"Worm:vbs/dapato",
"Cobalt strike",
"Tulach malware",
"Sodin ransomware",
"Alf:trojan:win32/formbook",
"Pws:msil/steam",
"Zbot",
"Trojandropper:vbs/swrort",
"Alf:trojan:o97m/emotet",
"Ransomexx",
"Alf:pua:win32/opencandy",
"Babar",
"#hstr:hacktool:win32/mimikatz",
"Apnic",
"Laplasclipper",
"Metro",
"Keyloggers",
"Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar",
"Phish.ab",
"Rms",
"Hacktool",
"Racoon stealer",
"Trojanspy",
"Verified"
],
"industries": [
"Civil society",
"Golfing",
"Defense",
"Health",
"Entertainment",
"Government",
"Healthcare",
"Telecommunications",
"Gas",
"Technology",
"Media",
"Food"
],
"unique_indicators": 321700
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/ftuapps.com",
"whois": "http://whois.domaintools.com/ftuapps.com",
"domain": "ftuapps.com",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69e434769e2a43c088066ca2",
"name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek",
"description": "",
"modified": "2026-04-19T07:36:41.138000",
"created": "2026-04-19T01:48:38.335000",
"tags": [
"heur",
"cisco umbrella",
"site",
"alexa top",
"malware",
"million",
"xcnfe",
"maltiverse",
"malware site",
"safe site",
"malicious",
"trojan",
"artemis",
"vidar",
"redline stealer",
"raccoon",
"keylogger",
"riskware",
"agent tesla",
"remcos",
"stealer",
"miner",
"hacktool",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"detplock",
"networm",
"win64",
"service",
"smokeloader",
"dropper",
"crack",
"alexa",
"trojanspy",
"detection list",
"blacklist https",
"kyriazhs1975",
"noname057",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"blacklist",
"cyber threat",
"united",
"engineering",
"phishing",
"covid19",
"facebook",
"phishing site",
"paypal",
"njrat",
"emotet",
"nanocore rat",
"meterpreter",
"azorult",
"download",
"msil",
"bladabindi",
"mirai",
"pony",
"nanocore",
"bradesco",
"cobalt strike",
"cve201711882",
"redline",
"ssl certificate",
"tsara brashears",
"cyberstalking",
"spyware",
"apple ios",
"quasar",
"ransomware",
"malware norad",
"cry kill",
"attack",
"installer",
"formbook",
"lockbit",
"open",
"banker",
"bazarloader",
"core",
"ransomexx",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"ascii text",
"null",
"date",
"error",
"span",
"refresh",
"class",
"generator",
"critical",
"body",
"look",
"verify",
"restart",
"meta",
"hybrid",
"general",
"click",
"strings",
"tools",
"as141773",
"as63932",
"moved",
"passive dns",
"search",
"entries",
"gmt content",
"type",
"keep alive",
"scan endpoints",
"all octoseek",
"pulse pulses",
"as17806 mango",
"blacklist http",
"phishtank",
"malicious site",
"apple",
"blockchain",
"runescape",
"twitter",
"qakbot",
"asyncrat",
"team",
"internet storm",
"generic",
"union",
"bazaloader",
"media",
"generic malware",
"hostname",
"suppobox",
"netwire rc",
"installcore",
"conduit",
"iobit",
"mediaget",
"outbreak",
"acint",
"installpack",
"phish",
"rostpay",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"filetour",
"wacatac",
"fusioncore",
"dapato",
"cleaner",
"softonic",
"encpk",
"qbot",
"predator",
"swrort",
"kraddare",
"systweak",
"dllinject",
"driverpack",
"iframe",
"downldr",
"presenoker",
"as61317",
"asnone united",
"urls",
"files",
"next",
"as15169 google",
"japan unknown",
"as17506 arteria",
"as32244 liquid",
"as49505",
"russia unknown",
"expired",
"domain",
"falcon",
"as19969",
"ipv4",
"ransom",
"encrypt",
"file",
"windows nt",
"indicator",
"response",
"appdata",
"gmt contenttype",
"png image",
"local",
"contacted",
"fali malicious",
"dropped",
"communicating",
"referrer",
"fali contacted",
"silk road",
"immediate",
"cymulate2",
"tsara brashears",
"malvertizing"
],
"references": [
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"alohatube.xyz",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://alohatube.xyz/search/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"ww.google.com.uy",
"https://alohatube.xyz/search/tsara-brashears",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://polling.portal.gov.bd/js/npc.script.js",
"polling.portal.gov.bd",
"https://polling.portal.gov.bd/js/npop.script.js",
"http://watchhers.net/index.php",
"https://brandyallen.com/2022/11/23/sexy",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc",
"http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf",
"https://twitter.com/PORNO_SEXYBABES",
"https://alohatube.xyz/search/sex-mom-dog-animal",
"https://www.colorfulbox.jp/",
"Hybrid Analysis",
"Any.run",
"OTX AlienVault",
"Urlscan",
"UrlVoid",
"http://emrd.gov.bd/dead.php",
"http://titasgas.portal.gov.bd/dead.php",
"http://mincom.gov.bd/dead.php",
"http://cabinet.gov.bd/dead.php"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Malaysia",
"Bangladesh"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Racoon Stealer",
"display_name": "Racoon Stealer",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "njRAT - S0385",
"display_name": "njRAT - S0385",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Bazaar Loader",
"display_name": "Bazaar Loader",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Detplock",
"display_name": "Detplock",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
},
{
"id": "Ghandi",
"display_name": "Ghandi",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swort",
"display_name": "Swort",
"target": null
},
{
"id": "Silk Road",
"display_name": "Silk Road",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "Worm:VBS/Dapato",
"display_name": "Worm:VBS/Dapato",
"target": "/malware/Worm:VBS/Dapato"
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "654a7a53317c717d1f4fee7f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2522,
"FileHash-SHA1": 862,
"FileHash-SHA256": 2855,
"URL": 7963,
"domain": 1168,
"hostname": 3181,
"CVE": 13,
"email": 2,
"IPv4": 1
},
"indicator_count": 18567,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "12 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e1d9cd805ecfc463bed935",
"name": "BlackNet RAT clone credit octoseek",
"description": "",
"modified": "2026-04-18T00:51:09.427000",
"created": "2026-04-17T06:57:17.378000",
"tags": [
"united",
"heur",
"bank",
"covid19 scam",
"anonymizer",
"malicious site",
"telefonica peru",
"cyber threat",
"proxy",
"malware",
"phishing",
"zbot",
"suppobox",
"team",
"trojanx",
"service",
"facebook",
"win64",
"trojan",
"artemis",
"cisco umbrella",
"site",
"alexa top",
"million",
"safe site",
"engineering",
"download",
"microsoft",
"generic",
"union",
"bazaloader",
"media",
"runescape",
"blacklist https",
"generic malware",
"metro",
"tmobile",
"on us",
"mls season",
"home internet",
"shop",
"autopay",
"free",
"metro store",
"limit",
"pass",
"close",
"galaxy",
"easy",
"back",
"stream",
"find",
"twitter",
"intnavfnav",
"conditions",
"service url",
"search live",
"api blog",
"docs pricing",
"september",
"instagram url",
"facebook url",
"value",
"variables",
"visitor object",
"alpine object",
"cookies",
"taq boolean",
"get h2",
"kb script",
"b xhr",
"post h2",
"frame",
"b image",
"kb image",
"redirect chain",
"frame c0bc",
"kb stylesheet",
"covid19",
"phishing site",
"malicious",
"cve201711882",
"cobalt strike",
"squirrelwaffle",
"pony",
"binder",
"virut",
"ramnit",
"dropper",
"formbook",
"azorult",
"bambernek",
"alexa",
"unsafe",
"opencandy",
"downldr",
"irata",
"dbatloader",
"vidar",
"outbreak",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"emotet",
"blacknet rat",
"stealer",
"presenoker",
"fusioncore",
"cleaner",
"wacatac",
"riskware",
"coinminer",
"xrat",
"swrort",
"installcore",
"trojanspy",
"mbydkqdhtu0h",
"pbiptbmvd0k4",
"pbzpdldtg",
"detection list",
"glelexoputyh",
"linkid252669",
"s2okorbdpt2x",
"el9km",
"mtap2vnnnpj",
"blacklist",
"x22x22",
"x22scriptx22",
"x22dntx22",
"date",
"u002d2",
"linkcode u002d",
"srclang",
"urllang",
"srcurl",
"qzid",
"pattern match",
"intnavtnav",
"q0o0mahttp",
"login",
"windows nt",
"bad traffic",
"et info",
"tls handshake",
"failure",
"http traffic",
"http",
"suricata alerts",
"event category",
"description sid",
"external",
"logo",
"av detection",
"default browser",
"guest system",
"professional",
"general",
"file",
"get fwlink",
"geckohost",
"suidm",
"edgev1",
"srchdafnoform",
"srchuidv2",
"edgesf1",
"malware site",
"agent",
"exploit",
"mimikatz",
"quasar rat",
"iframe",
"beach research",
"sgeneric",
"static engine",
"umbrella",
"malware service",
"exploit source",
"scanning host",
"Command and Control",
"malicious url",
"team malicious",
"tor known",
"tor relayrouter",
"exit",
"node tcp",
"traffic",
"bad traffic"
],
"references": [
"https://metro-tmo.com/",
"Hybrid Analysis",
"Alienvault OTX",
"Data Analysis"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"South Africa",
"Japan"
],
"malware_families": [
{
"id": "TrojanDownloader:O97M/BazaLoader",
"display_name": "TrojanDownloader:O97M/BazaLoader",
"target": "/malware/TrojanDownloader:O97M/BazaLoader"
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Backdoor:Win32/Zbot",
"display_name": "Backdoor:Win32/Zbot",
"target": "/malware/Backdoor:Win32/Zbot"
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "BlackNET RAT",
"display_name": "BlackNET RAT",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi",
"display_name": "Backdoor:MSIL/Bladabindi",
"target": "/malware/Backdoor:MSIL/Bladabindi"
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "MimiKatz",
"display_name": "MimiKatz",
"target": null
},
{
"id": "Squirrelwaffle",
"display_name": "Squirrelwaffle",
"target": null
},
{
"id": "Pony - S0453",
"display_name": "Pony - S0453",
"target": null
},
{
"id": "TrojanDropper:VBS/Swrort",
"display_name": "TrojanDropper:VBS/Swrort",
"target": "/malware/TrojanDropper:VBS/Swrort"
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Virus:DOS/Metro",
"display_name": "Virus:DOS/Metro",
"target": "/malware/Virus:DOS/Metro"
},
{
"id": "Metro",
"display_name": "Metro",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Backdoor:Win32/Outbreak",
"display_name": "Backdoor:Win32/Outbreak",
"target": "/malware/Backdoor:Win32/Outbreak"
},
{
"id": "ALF:PUA:Win32/OpenCandy",
"display_name": "ALF:PUA:Win32/OpenCandy",
"target": null
},
{
"id": "IRATA",
"display_name": "IRATA",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
},
{
"id": "ALF:PUA:Win32/FusionCore",
"display_name": "ALF:PUA:Win32/FusionCore",
"target": null
},
{
"id": "ALF:Trojan:O97M/Emotet",
"display_name": "ALF:Trojan:O97M/Emotet",
"target": null
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
}
],
"attack_ids": [
{
"id": "T1550",
"name": "Use Alternate Authentication Material",
"display_name": "T1550 - Use Alternate Authentication Material"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Food",
"Gas",
"Entertainment"
],
"TLP": "white",
"cloned_from": "650d0c66e0b02a6dde4a8b7a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 781,
"FileHash-SHA256": 3085,
"domain": 528,
"URL": 3130,
"CVE": 6,
"FileHash-MD5": 610,
"FileHash-SHA1": 368
},
"indicator_count": 8508,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b2730aa46a25d7949daa8d",
"name": "apple retail dnspionage clone octoseek",
"description": "",
"modified": "2026-04-11T00:03:57.096000",
"created": "2026-03-12T08:02:18.609000",
"tags": [
"Ghost RAT",
"WebToolbar",
"Nanocore RAT",
"GameHack",
"Cobalt Strike",
"RedlineStealer",
"HallGrand",
"InstallCore",
"InstallBrain",
"Emotet",
"Tofsee",
"InMortal",
"Bradesco",
"Agent Tesla",
"Mitre",
"Pyscpa",
"TrojanSpy",
"SuppoBox",
"Occamy",
"DNSPIONAGE",
"Stealer",
"Password",
"Apple",
"Retail",
"Cherry Creek Colorado",
"Bot Networks",
"Ghost RAT",
"Networm"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "658a2b6cfdcfeec5db5f31a1",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7996,
"FileHash-SHA1": 3921,
"FileHash-SHA256": 5341,
"hostname": 2108,
"domain": 1005,
"URL": 5635,
"CIDR": 2,
"CVE": 21,
"email": 28
},
"indicator_count": 26057,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "691f4d4ef0a2a570b8b21cd2",
"name": "Chris P. Ahmann Colorado State Criminal Defense Attorney",
"description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-11-20T17:18:06.929000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69482caa00d327da8f0a87bc",
"name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-21T17:21:46.434000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695557ee134b978b00883c29",
"name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-31T17:05:50.134000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69631fbd16e306ee2b76c4da",
"name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2026-01-11T03:57:49.242000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "695557ee134b978b00883c29",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://ftuapps.com/wp",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://ftuapps.com/wp",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776629708.966528
}