{ "type": "URL", "indicator": "https://git.port404.ru", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://git.port404.ru", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4146897739, "indicator": "https://git.port404.ru", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-03-21T23:13:32.760000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "IPv4": 883, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9, "IPv6": 32 }, "indicator_count": 15049, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690e8b773dc39921d88abd44", "name": "Nanocore - Affected", "description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|", "modified": "2025-12-07T23:02:29.645000", "created": "2025-11-08T00:14:47.600000", "tags": [ "hgnvastlaiz", "read c", "medium", "rgba", "memcommit", "delete", "png image", "unicode", "dock", "execution", "malware", "crlf line", "speichermedium", "productversion", "fileversion", "engine dll", "internalname", "einstellungen", "comodo ca", "limited st", "yara detections", "next pe", "eula", "policy", "direct", "opencandy", "suspicious_write_exe", "network_icmp", "process_martian", "present jun", "present jul", "domain", "united", "ip address", "unknown ns", "ms windows", "intel", "verisign", "time stamping", "unknown", "class", "write", "markus", "temple", "msie", "windows nt", "get http", "lehash", "av detections", "ids detections", "alerts", "file score", "low risk", "compromised_site_redirector_fromcharcode", "present aug", "passive dns", "all ipv4", "urls", "files", "hosting", "america flag", "win32", "ipv4 add", "signed file, valid signature. revoked.", "united states", "pws", "atros", "fiha", "search", "entries", "present oct", "next associated", "show", "high", "wow64", "slcc2", "next", "domain add", "poland", "poland unknown", "ipv4", "location poland", "poland asn", "et policy", "pe exe", "dll windows", "amazon s3", "location united", "associated urls", "date checked", "url hostname", "server response", "google safe", "results feb", "nanocore", "url add", "http", "related nids", "files location", "flag united", "malicious image", "files domain", "files related", "pulses otx", "related tags", "resources whois", "virustotal", "present sep", "status", "present nov", "present mar", "trojan", "script script", "div div", "link", "a li", "meta", "sweden", "invalid url", "head title", "title head", "reference", "bad request", "server", "netherlands", "creation date", "date", "running server", "ahmann", "christopher", "p", "tam", "legal", "treece", "alfrey", "muscat", "adversaries", "cyber crime", "quasi", "government" ], "references": [ "wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87", "ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022", "www.opencandy.com", "http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022", "Yara Detections : compromised_site_redirector_fromcharcode", "Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx", "pcoptimizerpro.com \u2022 www.pcoptimizerpro.com", "PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23", "YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform", "https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg", "https://heavyfetish.com/search/CHEESE-PIZZA-porn/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Nanocore-5", "display_name": "Win.Trojan.Nanocore-5", "target": null }, { "id": "Win.Trojan.Adinstall-2", "display_name": "Win.Trojan.Adinstall-2", "target": null }, { "id": "PSW.Generic13", "display_name": "PSW.Generic13", "target": null }, { "id": "Atros.UPK", "display_name": "Atros.UPK", "target": null }, { "id": "Luhe.Fiha.A", "display_name": "Luhe.Fiha.A", "target": null }, { "id": "Pua.Optimizerpro/PCOptimizerPro", "display_name": "Pua.Optimizerpro/PCOptimizerPro", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 753, "FileHash-SHA1": 622, "FileHash-SHA256": 4336, "URL": 2448, "domain": 300, "hostname": 788, "CVE": 1, "email": 4 }, "indicator_count": 9252, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://212.33.237.86/images/1/report.php", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "All IoC\u2019s originate from sources named. There are some unknown attackers", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "https://www.datafoundry.com/data-center-contamination-control/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "Melvin Sabey", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "Some may may find this content is very disturbing and offensive", "https://www.datafoundry.com/category/news/press-releases/", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23", "https://twitter.com/PORNO_SEXYBABES", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "http://watchhers.net/index.php", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "This is a serious crime. I\u2019m certain God WILL pay them.", "Christopher P \u2018Buzz\u2019 Ahmann", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform", "https://webmail.police.govmm.org/owa/", "https://heavyfetish.com/search/CHEESE-PIZZA-porn/", "https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg", "https://207-207-25-201.fwd.datafoundry.com/", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "www.opencandy.com", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "Mark Brian Sabey", "Quasi Government Case", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "Unknown Persons impersonating Private Investigators (plural)", "Denver Police Department Major Crimes closed investigation", "pcoptimizerpro.com \u2022 www.pcoptimizerpro.com", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua", "Updated | What\u2019s left after theft", "Yara Detections : compromised_site_redirector_fromcharcode", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "I bring up the personal nature of the crime because a delete service has been used", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Ronda Cordova", "http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx", "https://rdweb.datafoundry.com/", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "https://www.milehighmedia.com/legal/2257", "Victim silenced. Struck by Car Driven by male police let walk", "Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ", "Reimer was a PT. Unknown whereabouts , name or job description" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.adinstall-2", "Tons of malware", "Other malware", "Luhe.fiha.a", "Cve-2023-22518", "Porn revenge", "Win.trojan.nanocore-5", "Psw.generic13", "Pua.optimizerpro/pcoptimizerpro", "Atros.upk" ], "industries": [], "unique_indicators": 29193 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/port404.ru", "whois": "http://whois.domaintools.com/port404.ru", "domain": "port404.ru", "hostname": "git.port404.ru" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-03-21T23:13:32.760000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "IPv4": 883, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9, "IPv6": 32 }, "indicator_count": 15049, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690e8b773dc39921d88abd44", "name": "Nanocore - Affected", "description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|", "modified": "2025-12-07T23:02:29.645000", "created": "2025-11-08T00:14:47.600000", "tags": [ "hgnvastlaiz", "read c", "medium", "rgba", "memcommit", "delete", "png image", "unicode", "dock", "execution", "malware", "crlf line", "speichermedium", "productversion", "fileversion", "engine dll", "internalname", "einstellungen", "comodo ca", "limited st", "yara detections", "next pe", "eula", "policy", "direct", "opencandy", "suspicious_write_exe", "network_icmp", "process_martian", "present jun", "present jul", "domain", "united", "ip address", "unknown ns", "ms windows", "intel", "verisign", "time stamping", "unknown", "class", "write", "markus", "temple", "msie", "windows nt", "get http", "lehash", "av detections", "ids detections", "alerts", "file score", "low risk", "compromised_site_redirector_fromcharcode", "present aug", "passive dns", "all ipv4", "urls", "files", "hosting", "america flag", "win32", "ipv4 add", "signed file, valid signature. revoked.", "united states", "pws", "atros", "fiha", "search", "entries", "present oct", "next associated", "show", "high", "wow64", "slcc2", "next", "domain add", "poland", "poland unknown", "ipv4", "location poland", "poland asn", "et policy", "pe exe", "dll windows", "amazon s3", "location united", "associated urls", "date checked", "url hostname", "server response", "google safe", "results feb", "nanocore", "url add", "http", "related nids", "files location", "flag united", "malicious image", "files domain", "files related", "pulses otx", "related tags", "resources whois", "virustotal", "present sep", "status", "present nov", "present mar", "trojan", "script script", "div div", "link", "a li", "meta", "sweden", "invalid url", "head title", "title head", "reference", "bad request", "server", "netherlands", "creation date", "date", "running server", "ahmann", "christopher", "p", "tam", "legal", "treece", "alfrey", "muscat", "adversaries", "cyber crime", "quasi", "government" ], "references": [ "wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87", "ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022", "www.opencandy.com", "http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022", "Yara Detections : compromised_site_redirector_fromcharcode", "Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx", "pcoptimizerpro.com \u2022 www.pcoptimizerpro.com", "PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23", "YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform", "https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg", "https://heavyfetish.com/search/CHEESE-PIZZA-porn/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Nanocore-5", "display_name": "Win.Trojan.Nanocore-5", "target": null }, { "id": "Win.Trojan.Adinstall-2", "display_name": "Win.Trojan.Adinstall-2", "target": null }, { "id": "PSW.Generic13", "display_name": "PSW.Generic13", "target": null }, { "id": "Atros.UPK", "display_name": "Atros.UPK", "target": null }, { "id": "Luhe.Fiha.A", "display_name": "Luhe.Fiha.A", "target": null }, { "id": "Pua.Optimizerpro/PCOptimizerPro", "display_name": "Pua.Optimizerpro/PCOptimizerPro", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 753, "FileHash-SHA1": 622, "FileHash-SHA256": 4336, "URL": 2448, "domain": 300, "hostname": 788, "CVE": 1, "email": 4 }, "indicator_count": 9252, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://git.port404.ru", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://git.port404.ru", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776607129.3031514 }