{ "type": "URL", "indicator": "https://ghps.steam302.xyz", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ghps.steam302.xyz", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4156794853, "indicator": "https://ghps.steam302.xyz", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "693148dc0eb85adc8edfe1a2", "name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:39:56.180000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1049, "URL": 5839, "hostname": 1944, "FileHash-SHA256": 3634, "FileHash-MD5": 310, "FileHash-SHA1": 295, "CVE": 2, "email": 15, "SSLCertFingerprint": 2 }, "indicator_count": 13090, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69314920e287845f6b36a265", "name": "BeeLineRouter.Net \u2022 Apple Access", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:41:04.190000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 295, "FileHash-SHA256": 3634, "URL": 5839, "CVE": 2, "domain": 1048, "email": 15, "hostname": 1944, "SSLCertFingerprint": 2 }, "indicator_count": 13089, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69314926519256e3ef0a9358", "name": "BeeLineRouter.Net \u2022 Apple Access", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:41:06.657000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 295, "FileHash-SHA256": 3634, "URL": 5839, "CVE": 2, "domain": 1048, "email": 15, "hostname": 1944, "SSLCertFingerprint": 2 }, "indicator_count": 13089, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f04e9fa3d782118e94aac", "name": "LevelBlue - Open Threat Exchange - Delete AppDeployed", "description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.", "modified": "2026-01-01T15:04:20.907000", "created": "2025-12-02T15:25:29.158000", "tags": [ "levelblue", "open threat", "dynamicloader", "tlsv1", "high", "msie", "windows nt", "delete c", "fwlink", "stream", "powershell", "write", "malware", "local", "united", "flag", "date", "server", "crazy egg", "name server", "gmt flag", "domain address", "markmonitor", "enom", "sugges", "onv incude", "data upload", "find s", "extraction", "types", "type", "indicator", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "contacted hosts", "search", "entries", "read c", "medium", "memcommit", "tls handshake", "failure", "module load", "next", "execution", "dock", "capture", "persistence", "copy", "unknown", "suricata alert", "et info", "bad traffic", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "file defense", "write c", "x02x82", "xe6x15c6", "x16f", "xc0xc0xc0", "revengerat", "guard", "service", "encrypt", "entries yara", "delphi", "win32", "jordan", "delete app" ], "references": [ "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vmprotect-9880726-0", "display_name": "Win.Malware.Vmprotect-9880726-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [ "Technology", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4624, "FileHash-SHA256": 2021, "FileHash-MD5": 51, "FileHash-SHA1": 20, "SSLCertFingerprint": 10, "hostname": 1433, "domain": 728 }, "indicator_count": 8887, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://142-232-245-104-static.reverse.queryfoundry.net/", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "https://appleid.xn--appe-70a.com/", "http://201-191-251-104-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "8-25-220-162-static.reverse.queryfoundry.net", "177-231-69-38-static.reverse.queryfoundry.net", "181-135-182-107-static.reverse.queryfoundry.net", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://49-116-251-162-static.reverse.queryfoundry./net/", "http://vgt.pl/r.n%20-", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "167-16-68-38-static.reverse.queryfoundry.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "http://36-243-60-103-static.reverse.queryfoundry.net/", "154-143-182-107-static.reverse.queryfoundry.net", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "https://www.sweetheartvideo.com/tsara-brashears", "queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "http://195-214-98-172-static.reverse.queryfoundry.net/", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "0-209-98-172-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "HTTPS://BeeLineRouter.Net", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Other malware", "Mydoom", "Win.virus.expiro", "Simda", "Gandcrab ransomware", "Win.malware.vmprotect-9880726-0", "#virtool:win32/obfuscator.adb" ], "industries": [ "Legal", "Technology" ], "unique_indicators": 21905 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/steam302.xyz", "whois": "http://whois.domaintools.com/steam302.xyz", "domain": "steam302.xyz", "hostname": "ghps.steam302.xyz" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "693148dc0eb85adc8edfe1a2", "name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:39:56.180000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1049, "URL": 5839, "hostname": 1944, "FileHash-SHA256": 3634, "FileHash-MD5": 310, "FileHash-SHA1": 295, "CVE": 2, "email": 15, "SSLCertFingerprint": 2 }, "indicator_count": 13090, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69314920e287845f6b36a265", "name": "BeeLineRouter.Net \u2022 Apple Access", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:41:04.190000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 295, "FileHash-SHA256": 3634, "URL": 5839, "CVE": 2, "domain": 1048, "email": 15, "hostname": 1944, "SSLCertFingerprint": 2 }, "indicator_count": 13089, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69314926519256e3ef0a9358", "name": "BeeLineRouter.Net \u2022 Apple Access", "description": "", "modified": "2026-01-03T07:00:45.529000", "created": "2025-12-04T08:41:06.657000", "tags": [ "mitre att", "network traffic", "ck id", "show technique", "ck matrix", "threat score", "december", "default browser", "guest system", "united", "dynadot inc", "name server", "contacted hosts", "process details", "windir", "openurl c", "prefetch2", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "ascii text", "pattern match", "show process", "t1071", "general", "local", "path", "click", "beelinerouter", "access", "router", "apple", "regopenkeyexw", "regsz", "process32nextw", "english", "post http", "search", "observed dns", "query", "sinkhole cookie", "malware", "possible", "win32", "updater", "write", "next", "found", "ip address", "domain", "name servers", "unknown ns", "ip whois", "registrar", "cloudflare", "title", "passive dns", "urls", "files", "location united", "asn as14618", "bq dec", "virtool", "backdoor", "checkin", "ipv4 add", "trojan", "dynamicloader", "msie", "windows nt", "slcc2", "media center", "unknown", "show", "internal", "encrypt", "veailmboprd", "dns query", "wow64", "gecko http", "entries", "medium", "ransom", "khtml", "gecko", "delete", "installer", "win32cve may", "america flag", "overview ip", "asn as20940", "expiration", "url https", "no expiration", "url http", "pulse show", "type indicator", "role title", "related pulses", "record value", "domain xn" ], "references": [ "HTTPS://BeeLineRouter.Net", "eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com", "https://appleid.xn--appe-70a.com/", "https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://vgt.pl/r.n%20-", "8-25-220-162-static.reverse.queryfoundry.net", "queryfoundry.net", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://117-114-251-162-static.reverse.queryfoundry.net/", "http://81-26-68-38-static.reverse.queryfoundry.net/", "http://68-178-128-104-static.reverse.queryfoundry.net/", "0-209-98-172-static.reverse.queryfoundry.net", "154-143-182-107-static.reverse.queryfoundry.net", "http://51-235-245-104-static.reverse.queryfoundry.net/", "167-16-68-38-static.reverse.queryfoundry.net", "http://49-116-251-162-static.reverse.queryfoundry./net/", "177-231-69-38-static.reverse.queryfoundry.net", "http://36-243-60-103-static.reverse.queryfoundry.net/", "http://237-189-251-104-static.reverse.queryfoundry.net/", "http://227-98-248-162-static.reverse.queryfoundry.net/", "237-189-251-104-static.reverse.queryfoundry.net", "http://207-214-98-172-static.reverse.queryfoundry.net/", "181-135-182-107-static.reverse.queryfoundry.net", "http://201-191-251-104-static.reverse.queryfoundry.net/", "67-228-69-38-static.reverse.queryfoundry.net", "http://0-209-98-172-static.reverse.queryfoundry.net/", "http://10-241-60-103-static.reverse.queryfoundry.net/", "http://142-232-245-104-static.reverse.queryfoundry.net/", "http://154-143-182-107-static.reverse.queryfoundry.net/", "http://167-16-68-38-static.reverse.queryfoundry.net/", "http://177-231-69-38-static.reverse.queryfoundry.net/", "http://181-135-182-107-static.reverse.queryfoundry.net/", "http://195-214-98-172-static.reverse.queryfoundry.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "GandCrab Ransomware", "display_name": "GandCrab Ransomware", "target": null }, { "id": "Win.Virus.Expiro", "display_name": "Win.Virus.Expiro", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 295, "FileHash-SHA256": 3634, "URL": 5839, "CVE": 2, "domain": 1048, "email": 15, "hostname": 1944, "SSLCertFingerprint": 2 }, "indicator_count": 13089, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f04e9fa3d782118e94aac", "name": "LevelBlue - Open Threat Exchange - Delete AppDeployed", "description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.", "modified": "2026-01-01T15:04:20.907000", "created": "2025-12-02T15:25:29.158000", "tags": [ "levelblue", "open threat", "dynamicloader", "tlsv1", "high", "msie", "windows nt", "delete c", "fwlink", "stream", "powershell", "write", "malware", "local", "united", "flag", "date", "server", "crazy egg", "name server", "gmt flag", "domain address", "markmonitor", "enom", "sugges", "onv incude", "data upload", "find s", "extraction", "types", "type", "indicator", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "contacted hosts", "search", "entries", "read c", "medium", "memcommit", "tls handshake", "failure", "module load", "next", "execution", "dock", "capture", "persistence", "copy", "unknown", "suricata alert", "et info", "bad traffic", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1480 execution", "file defense", "write c", "x02x82", "xe6x15c6", "x16f", "xc0xc0xc0", "revengerat", "guard", "service", "encrypt", "entries yara", "delphi", "win32", "jordan", "delete app" ], "references": [ "https://otx.alienvault.com/indicator/domain/Tamlegal.com", "DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz", "endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vmprotect-9880726-0", "display_name": "Win.Malware.Vmprotect-9880726-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [ "Technology", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4624, "FileHash-SHA256": 2021, "FileHash-MD5": 51, "FileHash-SHA1": 20, "SSLCertFingerprint": 10, "hostname": 1433, "domain": 728 }, "indicator_count": 8887, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ghps.steam302.xyz", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ghps.steam302.xyz", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776599347.2368364 }