{ "type": "URL", "indicator": "https://gabek.dev", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://gabek.dev", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3006985067, "indicator": "https://gabek.dev", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6946fdbb4a22dc28d60d6ca2", "name": "Expiro - DoomScroller \u2022 BrowseHappy | Part 2", "description": "Pulse: \u00c2\u00a31.1bn.io.com, a search engine for the most popular websites on the planet, is now available on Facebook, Twitter, Instagram and YouTube.", "modified": "2026-01-19T19:04:41.997000", "created": "2025-12-20T19:49:15.713000", "tags": [ "doomscroller", "browsehappy", "xpirat", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "united", "tlsv1", "execution", "dock", "write", "persistence", "encrypt", "meta", "browse happy", "worry", "body doctype", "online", "gmt server", "a domains", "ipv4 add", "win32", "trojandropper", "title", "date", "unknown", "post http", "cryptexportkey", "cryptgenkey", "calgrc4", "expiro", "temple", "xserver", "adversaries", "worry wordpress" ], "references": [ "Xpirat = doomscroller.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpirat", "display_name": "Xpirat", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5576, "domain": 1502, "FileHash-MD5": 116, "FileHash-SHA1": 73, "FileHash-SHA256": 1041, "SSLCertFingerprint": 1, "hostname": 1951 }, "indicator_count": 10260, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f04e9fa3d782118e94aac", "name": "LevelBlue - Open Threat Exchange - Delete AppDeployed", "description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.", "modified": "2026-01-01T15:04:20.907000", "created": "2025-12-02T15:25:29.158000", "tags": [ "levelblue", "open threat", "dynamicloader", "tlsv1", "high", "msie", "windows nt", "delete c", "fwlink", "stream", "powershell", "write", "malware", "local", "united", "flag", "date", "server", "crazy egg", "name server", "gmt flag", "domain address", "markmonitor", "enom", "sugges", "onv incude", "data upload", "find s", "extraction", "types", "type", "indicator", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "contacted hosts", "search", "entries", "read c", "medium", "memcommit", "tls handshake", "failure", "module load", "next", "execution", "dock", "capture", "persistence", "copy", "unknown", "suricata alert", "et info", "bad traffic", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "file defense", "write c", "x02x82", "xe6x15c6", "x16f", "xc0xc0xc0", "revengerat", "guard", "service", "encrypt", "entries yara", "delphi", "win32", "jordan", "delete app" ], "references": [ "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vmprotect-9880726-0", "display_name": "Win.Malware.Vmprotect-9880726-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [ "Technology", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4624, "FileHash-SHA256": 2021, "FileHash-MD5": 51, "FileHash-SHA1": 20, "SSLCertFingerprint": 10, "hostname": 1433, "domain": 728 }, "indicator_count": 8887, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "264 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "http://secure.indianpornpass.com/track/hotpornstuff", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "ns2.abovedomains.com", "cams4all.com", "yoursexy.porn | indianyouporn.com", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "qbot.zip", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.hudsonrock.com/search?domain=ualberta.ca", "www.redtube.comyouporn.com", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "https://twitter.com/PORNO_SEXYBABES", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://urlscan.io/search/#ualberta.ca", "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "www.anyxxxtube.net", "http://45.159.189.105/bot/regex", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Xpirat = doomscroller.io", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "boot.net.anydesk.com removed from my Pulse below", "https://tria.ge/240521-q4s79agb25/static1", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "192.185.223.216 | 192.168.56.1 [malware]", "https://sexgalaxy.net/tag/rodneymoore/", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "https://www.songculture.com/tsara-lynn-brashears-music", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "watchhers.net", "https://tria.ge/240517-t9pc2ahb2t", "https://mylegalbid.com/malwarebytes", "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "AppRegistrationList.csv", "youramateuporn.com", "static-push-preprod.porndig.com", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://tria.ge/240517-vqxezaaa33/behavioral1", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "jimgaffigan.com", "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "All - EnterpriseAppsList.csv", "cdn.pornsocket.com", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "xhamster.comyouporn.com", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "campaign-manager.sharecare.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://severeporn-com.pornproxy.page/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "http://alive.overit.com/~schoolbu/badmood3.exe", "http://xred.mooo.com", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Above links in search results direct out with and arrow pointing out.", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "pirateproxy.cc", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "imp.fusioninstall.com", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "weconnect.com", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "ww16.porn-community.porn25.com", "mwilliams.dev@gmail.com | piratepages.com", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "838114.parkingcrew.net", "Thor Scan: S-I9VvMTB6cZU", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "dropboxpayments.com", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "24-70mm.camera", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "qa.companycam.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojanspy", "Other malware", "Expiro", "Possible", "Xpirat", "Win.malware.vmprotect-9880726-0", "Trojanspy:win32/usteal", "Mivast", "Ransom:win32/genasom", "Virtool", "Win.trojan.poetrat-7669676-0", "#lowfienabledtcontinueafterunpacking", "Worm:win32/autorun", "Alf:jasyp:backdoor:win32/cycbot", "Win.trojan.xblocker-236", "Win32:mystic", "Sakula", "Adware affiliate", "Azorult cnc" ], "industries": [ "Education", "Telecommunications", "Government", "Technology", "Legal", "Healthcare" ], "unique_indicators": 103559 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/gabek.dev", "whois": "http://whois.domaintools.com/gabek.dev", "domain": "gabek.dev", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6946fdbb4a22dc28d60d6ca2", "name": "Expiro - DoomScroller \u2022 BrowseHappy | Part 2", "description": "Pulse: \u00c2\u00a31.1bn.io.com, a search engine for the most popular websites on the planet, is now available on Facebook, Twitter, Instagram and YouTube.", "modified": "2026-01-19T19:04:41.997000", "created": "2025-12-20T19:49:15.713000", "tags": [ "doomscroller", "browsehappy", "xpirat", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "united", "tlsv1", "execution", "dock", "write", "persistence", "encrypt", "meta", "browse happy", "worry", "body doctype", "online", "gmt server", "a domains", "ipv4 add", "win32", "trojandropper", "title", "date", "unknown", "post http", "cryptexportkey", "cryptgenkey", "calgrc4", "expiro", "temple", "xserver", "adversaries", "worry wordpress" ], "references": [ "Xpirat = doomscroller.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpirat", "display_name": "Xpirat", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5576, "domain": 1502, "FileHash-MD5": 116, "FileHash-SHA1": 73, "FileHash-SHA256": 1041, "SSLCertFingerprint": 1, "hostname": 1951 }, "indicator_count": 10260, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f04e9fa3d782118e94aac", "name": "LevelBlue - Open Threat Exchange - Delete AppDeployed", "description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.", "modified": "2026-01-01T15:04:20.907000", "created": "2025-12-02T15:25:29.158000", "tags": [ "levelblue", "open threat", "dynamicloader", "tlsv1", "high", "msie", "windows nt", "delete c", "fwlink", "stream", "powershell", "write", "malware", "local", "united", "flag", "date", "server", "crazy egg", "name server", "gmt flag", "domain address", "markmonitor", "enom", "sugges", "onv incude", "data upload", "find s", "extraction", "types", "type", "indicator", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "contacted hosts", "search", "entries", "read c", "medium", "memcommit", "tls handshake", "failure", "module load", "next", "execution", "dock", "capture", "persistence", "copy", "unknown", "suricata alert", "et info", "bad traffic", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "file defense", "write c", "x02x82", "xe6x15c6", "x16f", "xc0xc0xc0", "revengerat", "guard", "service", "encrypt", "entries yara", "delphi", "win32", "jordan", "delete app" ], "references": [ "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vmprotect-9880726-0", "display_name": "Win.Malware.Vmprotect-9880726-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [ "Technology", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4624, "FileHash-SHA256": 2021, "FileHash-MD5": 51, "FileHash-SHA1": 20, "SSLCertFingerprint": 10, "hostname": 1433, "domain": 728 }, "indicator_count": 8887, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "264 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://gabek.dev", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://gabek.dev", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638446.3030837 }