{ "type": "URL", "indicator": "https://git.spywarewatchdog.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://git.spywarewatchdog.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3154042173, "indicator": "https://git.spywarewatchdog.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 40, "pulses": [ { "id": "69b49ad5dd40a24d83cd6a72", "name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-03-13T23:16:37.716000", "created": "2026-03-13T23:16:37.716000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69631fbd16e306ee2b76c4da", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b496396ca4987e95ad37d1", "name": "Chris Buzz by QVashni (wow)", "description": "", "modified": "2026-03-13T22:56:57.314000", "created": "2026-03-13T22:56:57.314000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69482caa00d327da8f0a87bc", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b49587dd104e342dda1628", "name": "C Ahman Attorney Clone by Top Tier, Q.Vashti", "description": "", "modified": "2026-03-13T22:53:59.112000", "created": "2026-03-13T22:53:59.112000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69770bdfbdd845a3d5cb2484", "name": "Drive-by Compromise | Rootkit installed on Apple Device", "description": "Drive-by Compromise | Rootkit installed on Apple Device | The devices in this example are obviously compromised. We tested a device another Apple device by viewing a Sprouts Farmers Market E-commerce website. The App crashed revealing the source of the issue. I admit that even though device is HEAVILY compromised by threat actors; it continued to preform.\nThis week the Apple devices have experienced a series of BLACK & PINK stutters One had the letter \u2018P\u2019. The most important part of the research is who & why someone targets victims of crime who are either deceased or catastrophically injured. One victims \u2018voice\u2019 has been captured and is now calling people she knew and creeping them out. \n\nAlso curious about the \u2018Hello\u2019 api lineages. Malware packed. Check-ins & Bot Network found.\n\n[OTX auto populated- Here is the full list of URLs from the 20th anniversary of the birth of Daylin Olson, who was born and raised in New York in the US, and who he is now.]\n\n#stop", "modified": "2026-02-25T06:02:12.072000", "created": "2026-01-26T06:38:23.334000", "tags": [ "url https", "url http", "netherlands", "france", "united", "canada", "spain", "ascii text", "pattern match", "mitre att", "ck id", "null", "refresh", "title", "span", "hybrid", "general", "local", "path", "strings", "error", "tools", "look", "verify", "restart", "meta", "form", "bad traffic", "et info", "tls handshake", "failure", "flag", "windir", "openurl c", "prefetch2", "analysis", "ck matrix", "href", "network traffic", "encrypt", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "initial access", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "viewsize d5000", "viewsize c9000", "phishing", "filehandle", "report uid", "handles modules", "files amsi", "streams", "path filehandle", "porthandle", "modules files", "amsi streams", "accept", "starfield", "onload", "root", "backdoor", "passive dns", "next associated", "gmt location", "ipv4 add", "urls", "files", "search", "domain address", "markmonitor", "name server", "se referen", "ntprotec", "data upload", "extraction", "country", "overview dns", "requests domain", "date", "contacted hosts", "ip address", "defense evasion", "found", "size", "mask", "enterprise", "trojanspy", "checkin", "gmt content", "vercel x", "twitter", "trojan", "malware", "for privacy", "servers", "domains ii", "record value", "ca issuers", "unknown aaaa", "status", "present jul", "moved", "present jan", "present oct", "present sep", "unknown ns", "present dec", "ipv4", "url analysis", "location united", "1.25.26", "q.vashti pulse", "cloud", "foundry", "process details", "formbook cnc", "cape", "autoit", "high", "formbook", "yara rule", "delete", "get na", "write", "unknown", "copy", "autoit error", "autoIt paused", "global", "div div", "script script", "h6 div", "p div", "registrar", "project", "showing", "emails", "name servers", "ids detec", "domain", "hostname", "hello", "spyware" ], "references": [ "https://hello.extendedstay.com/api/mailings/unsubscribe/PMRGSZBCHIYTGOBWGYYTOLBCN5ZGOIR2EI2DGYZVMQ3DMNZNGY3GEYZNGQ2GIMBNMEYGENBNGQZDMMZYGA3DGZRZGI4SELBCOZSXE43JN5XCEORCGQRCYITTNFTSEORCHAZEKSCRNZ3UWTKHLA4US2BWNFVWK2SKKNXHAZTBO5RGOY2FGFYUOTTGNRJHQ5RZFU4TAPJCPU", "NtProtectVirtualMemory@NTDLL.DLL", "66.33.60.130 command_and_control", "76.76.21.61 command_and_control", "IDS Detections Trojan.Generic.KDV.545753 Checkin", "https://communityinviter.com/apps/cloudfoundry/cloud-foundry", "http://cve.chainguard.dev", "http://partners.spycloud.com", "https://signin-pro-azure.crayon.com/signin-oidc", "Invalid IP (052.105.023.053)", "https://codesearch.criteois.com/opengrok/search?q=", "https://grok-chatbot.tapnetic.pro/$", "spywarewatchdog.org", "http://git.spywarewatchdog.org", "https://bot.dev.talos-systems.io/", "https://otx.alienvault.com/pulse/6976d6afd744c55bd596ed6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Dropper.Gh0stRAT-10028210-0", "display_name": "Win.Dropper.Gh0stRAT-10028210-0", "target": null }, { "id": "Backdoor:Win32/Kanav.A", "display_name": "Backdoor:Win32/Kanav.A", "target": "/malware/Backdoor:Win32/Kanav.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Dropper.LokiBot-10010685-0", "display_name": "Win.Dropper.LokiBot-10010685-0", "target": null }, { "id": "Win.Packed.Dapato-10021645-0", "display_name": "Win.Packed.Dapato-10021645-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Packed.Malwarex-9792170-0", "display_name": "Win.Packed.Malwarex-9792170-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "AutoIt", "display_name": "AutoIt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" } ], "industries": [ "Ecommerce", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6777, "domain": 907, "hostname": 2070, "FileHash-SHA256": 1120, "FileHash-MD5": 202, "FileHash-SHA1": 184, "SSLCertFingerprint": 23, "email": 4 }, "indicator_count": 11287, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6964c08bf79bcb252eaa9e15", "name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers", "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks", "modified": "2026-02-11T09:03:20.933000", "created": "2026-01-12T09:36:11.701000", "tags": [ "google", "fastly", "googlecl", "january", "http", "domain", "akamaias", "cloudflar", "page url", "de summary", "april", "reverse dns", "url https", "general full", "software", "united", "resource hash", "protocol h3", "security quic", "protocol h2", "security tls", "main", "present jan", "title", "gmt max", "certificate", "moved", "lowfi", "gmt content", "meta", "present dec", "status", "aaaa", "passive dns", "urls", "search", "expiration date", "win32", "files", "verdict", "files ip", "address", "mtb jan", "trojandropper", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "worm", "trojan", "ip address", "record value", "dark", "found", "ipv4 add", "error", "trojanspy", "emails", "servers", "pegasus", "america flag", "america asn", "tlsv1", "read c", "show", "medium", "lstockholm", "ospotify ab", "odigicert inc", "execution", "next", "dock", "write", "persistence", "dynamicloader", "yara rule", "ms windows", "pe32", "named pipe", "smartassembly", "delphi", "malware", "united states", "pe file", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "high", "write c", "tls sni", "tls handshake", "delete", "as15169", "stun binding", "request", "port", "win64", "themida", "guard", "risepro", "sha256", "sha1", "pattern match", "ascii text", "size", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "directui", "element", "hwndhost", "classinfobase", "hwndelement", "value", "explorer", "insert", "movie", "hacktool", "showing", "entries http", "scans show", "california", "location united", "next associated", "pulse pulses", "name servers", "found request", "unique", "url add", "related nids", "files location", "expiration", "flag united", "present nov", "present sep", "href", "suricata stream", "command decode", "starfield", "encrypt", "iframe", "date", "title error", "hostname", "pulse submit", "memcommit", "checks", "windows", "capture", "cloudfront", "colorado", "creation date", "hostname add", "eset", "binary file", "pdb path", "internalname", "nod32", "amon" ], "references": [ "open.spotify.com \u2022", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "https://target.tccwest.www.littleswimmers.fr/", "www.onyx-ware.com \u2022 endgamesystems.com", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "TrojanSpy:MSIL/Yakbeex.A", "display_name": "TrojanSpy:MSIL/Yakbeex.A", "target": "/malware/TrojanSpy:MSIL/Yakbeex.A" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32:HacktoolX-gen\\ [Trj]", "display_name": "Win32:HacktoolX-gen\\ [Trj]", "target": null }, { "id": "nUFS_unicode", "display_name": "nUFS_unicode", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "Win.Dropper.PoisonIvy-9876745-0", "display_name": "Win.Dropper.PoisonIvy-9876745-0", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Entertainment", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1293, "URL": 3389, "FileHash-MD5": 635, "FileHash-SHA1": 531, "FileHash-SHA256": 2345, "domain": 501, "email": 12, "SSLCertFingerprint": 16 }, "indicator_count": 8722, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69482caa00d327da8f0a87bc", "name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-21T17:21:46.434000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691f4d4ef0a2a570b8b21cd2", "name": "Chris P. Ahmann Colorado State Criminal Defense Attorney", "description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.", "modified": "2026-01-20T17:02:02.650000", "created": "2025-11-20T17:18:06.929000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695557ee134b978b00883c29", "name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-31T17:05:50.134000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69631fbd16e306ee2b76c4da", "name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2026-01-11T03:57:49.242000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "695557ee134b978b00883c29", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e068ff95076bb8e75bd9f", "name": "Telehealth Exploit", "description": "", "modified": "2025-12-31T21:02:25", "created": "2025-12-01T21:20:15.043000", "tags": [ "passive dns", "urls", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "none google", "safe browsing", "present dec", "status", "date", "united", "name servers", "netherlands", "unknown ns", "ip address", "search", "showing", "local", "data upload", "extraction", "flag", "bad traffic", "et hunting", "domain m2", "suspicious tls", "sni request", "windir", "openurl c", "dns requests", "et info", "tls handshake", "prefetch2", "analysis", "tor analysis", "domain address", "tlsv1", "jfif", "jpeg image", "ascii text", "entries", "as15169", "show", "read c", "write", "next", "persistence", "execution", "crash", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 260, "hostname": 555, "URL": 1803, "FileHash-SHA256": 1437, "FileHash-MD5": 113, "FileHash-SHA1": 13, "email": 4, "SSLCertFingerprint": 18, "CVE": 1 }, "indicator_count": 4204, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690a2c38de1708af54217faa", "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals", "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns", "modified": "2025-12-04T15:01:02.531000", "created": "2025-11-04T16:39:20.035000", "tags": [ "present aug", "moved", "encrypt", "present jul", "passive dns", "ipv4 add", "reverse dns", "united states", "present may", "ip address", "gmt content", "ipv4", "all ipv4", "america", "united", "present oct", "name servers", "redacted for", "emails", "for privacy", "unknown ns", "unknown aaaa", "dynamicloader", "focus region", "unicode text", "utf16", "ms windows", "bokeh onlycanon", "zeiss jena", "mcsonnar", "high", "win64", "stream", "write", "smartassembly", "trailer", "next", "search", "medium", "as15169", "write c", "reads", "team", "malware", "local", "yara detections", "delphi", "strings", "dcom", "form", "trojandropper", "mtb nov", "backdoor", "otx telemetry", "trojan", "type", "data upload", "extraction", "ol rop", "hash avast", "avg clamav", "msdefender nov", "win32upatre nov", "win32berbew nov", "dynamic", "pe section", "error", "close", "status", "urls", "expiration date", "hostname", "url analysis", "yara rule", "show", "binary file", "wine emulator", "mtb oct", "files", "denmark asn", "as32934", "candyopen", "possible", "smoke loader", "trojanspy", "filehash", "pulses otx", "related tags", "file type", "no analysis", "available", "api key", "screenshots", "present nov", "aaaa", "mtb may", "mexico", "hostname add", "registrar", "domain add", "location united", "email add", "none related", "domains", "email domain", "service", "domain", "america flag", "body", "title", "aws dns", "next associated", "risepro", "guard", "v full", "reports v", "t1059 shared", "modules", "t1129 system", "t1569", "help v", "t1179 boot", "logon autost", "encoding", "packing f0001", "hidden files", "e1203 windows", "file attributes", "registry value", "catalog tree", "analysis ob0001", "evasion b0003", "virtual machine", "ip traffic", "memory pattern", "pattern urls", "tls sni", "get https", "post https", "named pipe", "delete c", "radar", "defender", "format", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "country", "contacted hosts", "process details", "flag", "globalc", "intel", "win32", "worm", "path", "explorer", "script", "href", "external", "html content", "tulach", "hallrender", "tam legal", "brian sabey", "christopher ahmann", "apple", "msie", "chrome", "ascio", "creation date", "date", "germany unknown", "germany asn", "files ip", "address", "asn as24940", "less", "script urls", "a domains", "prox", "dennis schrder", "meta", "apache", "99u25f.exe", "entries", "as24940 hetzner", "dns resolutions", "status code", "body length", "kb body", "software/ hardware", "external-resources", "password-input", "overview", "colorado" ], "references": [ "https://shift.gearboxsoftware.com/link", "https://tulach.cc/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "https://www.turbo.net/run/videolan/vlc", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ." ], "public": 1, "adversary": "Colorado Quasi Government | Workerk Compensation", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9878032-0", "display_name": "Win.Trojan.Generic-9878032-0", "target": null }, { "id": "Win.Trojan.Starter-171", "display_name": "Win.Trojan.Starter-171", "target": null }, { "id": "GravityRAT", "display_name": "GravityRAT", "target": null }, { "id": "Backdoor:Win32/Berbew.AA!MTB", "display_name": "Backdoor:Win32/Berbew.AA!MTB", "target": "/malware/Backdoor:Win32/Berbew.AA!MTB" }, { "id": "Trojan:MSIL/AgentTesla.DW!MTB", "display_name": "Trojan:MSIL/AgentTesla.DW!MTB", "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Nemucod", "display_name": "Nemucod", "target": null }, { "id": "Berbew", "display_name": "Berbew", "target": null }, { "id": "PWS:Win32/Zbot.MS!MTB", "display_name": "PWS:Win32/Zbot.MS!MTB", "target": "/malware/PWS:Win32/Zbot.MS!MTB" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Exploit.Rozena-10038302-0", "display_name": "Win.Exploit.Rozena-10038302-0", "target": null }, { "id": "Zombie", "display_name": "Zombie", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Dorv", "display_name": "Dorv", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6051, "hostname": 2627, "FileHash-MD5": 401, "FileHash-SHA1": 257, "email": 11, "domain": 1838, "FileHash-SHA256": 1742, "CVE": 4, "SSLCertFingerprint": 3 }, "indicator_count": 12934, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907f7e98289b75f3e5ecaba", "name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet", "description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-03T00:31:37.396000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68accab3048f960c2012d8f3", "name": "Unruy Infected System | Safari browser Google Search = www2.megawebfind.com", "description": "Unruy affecting safari browser of a currently infected iOS system.\nDescription: The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking. | \n(https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | ( First time user, I can\u2019t vouch for the safety of website above.)", "modified": "2025-09-24T19:02:24.695000", "created": "2025-08-25T20:42:27.811000", "tags": [ "google search", "please click", "process32nextw", "read c", "united", "show", "entries", "shellexecuteexw", "medium", "module load", "t1129", "dock", "write", "suspicious", "malware", "unknown", "contacted", "ids detections", "forbidden yara", "detections", "domains", "unruy", "safari", "apple", "ios" ], "references": [ "https://www.google.com/search?client=safari&sca_esv= www2.megawebfind.com webfind. com \u2022 www6.mega www.google.com", "IDS Detections: Win32/Unruy.C Activity", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction network_http", "Alerts: antisandbox_sleep creates_exe dropper stealth_window injection_process_search protection_rx", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog", "Domains Contacted: www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net www2.megawebfind.com www.google.com www6.megawebfind.com", "Domains Contacted: www2.megawebfind.com www.google.com www6.megawebfind.com", "The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking, sorting, or customizing search results.", "A clients infected now former iOS device.", "https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking", "I can\u2019t vouch for the safety of website above. First time user.", "https://otx.alienvault.com/indicator/file/f3a939131ffaf473f8b1ffa0cd11d8cbce46f50dcc7e9fd2ff8404201ab5bc8e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Technology", "Telecommunications", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 489, "FileHash-MD5": 105, "FileHash-SHA1": 101, "hostname": 297, "URL": 942, "SSLCertFingerprint": 1, "domain": 182 }, "indicator_count": 2117, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a956460f257cf96c454071", "name": "Piracy \u2022 Cloudfront \u2022 Ransom \u2022 Code Overlaps \u2022 Unrelenting attacks.", "description": "Indie songwriter , publisher, promoter, producer & her artists affected by years long copyright infringement , hacking & reputation damage. Website now downed.\n\nBrashears had been involved in music under pseudonyms for decades as a was songwriter , ghostwriter, sold catalogs , charting singles, chops was sponsored. In this instance music was grossly pirated. Initially asked for hook rights then told hook would be used without her permission. Believed dispute resolved verbally + copyright.\n\nTsara learned from an insider/s her hook was pirated & used by artists listed. Modifications make songs pirated samples.\nBrashears song written in 2010 later vaulted in a private catalog later released by her artist. YouTube audio quality tampering on pirated song. \n\nBrashears loved music, not the industry as an artist; preferring business. Always held her privacy to remain unknown. Tsara lived 10 lives at once.\n\nLikely involves male who contacted her @ by email as mentioned in earlier pulse.\n#trulymissed", "modified": "2025-09-21T21:03:28.771000", "created": "2025-08-23T05:48:54.534000", "tags": [ "domains", "hashes", "passive dns", "urls", "url add", "http", "hostname", "files domain", "files related", "related tags", "a domains", "entries", "next associated", "files show", "date hash", "avast avg", "trojanspy", "entries http", "scans show", "search", "body", "body doctype", "dynamicloader", "medium", "reg add", "regsz d", "high", "windows", "audio drivers", "write c", "virtool", "copy", "write", "june", "united", "unknown ns", "samsara", "new york", "city ny", "ip address", "record value", "meta", "date", "music", "encrypt", "win32", "dangeroussig", "lowfi", "msie", "chrome", "precondition", "trojan", "title", "canada unknown", "unknown cname", "domain add", "files", "location united", "hostname add", "verdict", "domain", "files ip", "address", "asn as13335", "hash avast", "avg clamav", "msdefender feb", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "file", "size", "ascii text", "pattern match", "august", "hybrid", "general", "path", "click", "strings", "roboto", "mozilla", "contact", "t1179 hooking", "installs", "t1035 service", "crlf line", "runtime process", "malicious", "unknown", "ssl certificate", "defense evasion", "amazon02", "americachicago", "windows nt", "win64", "khtml", "gecko", "veryhigh", "found", "geo menifee", "california", "as30148", "us note", "route", "ptr record", "information", "t1053", "taskjob", "t1055", "injection", "t1082", "t1112", "modify registry", "t1119", "t1129", "service", "capture", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "showing", "ipv6", "ipv4", "dicator role", "title added", "active related", "sweden", "netherlands", "scan", "iocs", "learn more", "types of", "kingdom", "united kingdom", "denmark", "icator role", "malware attacks", "find encrypted", "t1021", "remote", "t1068", "ta0043", "t1016", "discovery", "t1221", "nobody love", "tori", "kelley", "dj khaled", "justin bieber", "sophos video", "x rack", "x frame", "october", "songculture", "song culture", "tsara brashears", "jess 4", "queryfoundry", "beyond sampling", "pirated", "youtube", "spotify", "twitter", "spy", "tracking" ], "references": [ "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "8-25-220-162-static.reverse.queryfoundry.net", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "I apologize if you don\u2019t like my background stories", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nivdort", "display_name": "Nivdort", "target": null }, { "id": "Virtool", "display_name": "Virtool", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Trojanspy", "display_name": "Trojanspy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Malware Gen", "display_name": "Malware Gen", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Media", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1833, "hostname": 902, "domain": 386, "FileHash-MD5": 406, "FileHash-SHA1": 402, "FileHash-SHA256": 1437, "email": 2, "SSLCertFingerprint": 5, "CIDR": 2 }, "indicator_count": 5375, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "231 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d30048b95aaba628a5ee7", "name": "Working on it\u2026\u2026", "description": "\u2022 Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\n(onyx-ware.com)\nNS1.ENDGAME.COM\n(endgames.us)\nNS1.ENDGAME.COM\n#deadmau5 #janskyofficial #idk #soundcloud", "modified": "2025-08-19T17:00:59.379000", "created": "2025-07-20T18:05:56.587000", "tags": [ "dynamicloader", "united", "as15169", "medium", "search", "show", "write c", "whitelisted", "brazil as396982", "high", "themida", "write", "delphi", "copy", "upatre", "encrypt", "june", "win32", "malware", "win64", "windows nt", "directui", "element", "classinfobase", "value", "hwndhost", "sapeav12", "delete c", "worm", "explorer", "insert", "movie", "alerts", "windows", "installs", "filehash", "sha256 add", "pulse pulses", "av detections", "ids detections", "passive dns", "urls", "http", "ip address", "related nids", "files location", "spain flag", "spain domain", "files related", "spain", "entries", "next associated", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "filehashsha256", "type indicator", "role title", "added active", "related pulses", "url http", "filehashmd5", "showing", "url https", "indicator role", "title added", "active related", "iocs", "learn more", "filehashsha1", "types of", "united kingdom", "t1053", "taskjob", "t1055", "injection", "t1082", "t1119", "t1129", "modules", "t1143", "soundcloud", "created", "hour ago", "facebook", "twitter", "victims website", "youtube", "jansky", "trojandropper", "pulses url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2012, "FileHash-MD5": 140, "FileHash-SHA1": 129, "FileHash-SHA256": 1348, "SSLCertFingerprint": 3, "domain": 288, "hostname": 812 }, "indicator_count": 4732, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657099d8a0c84c2c55585e88", "name": "iOS 16.5 Beta 3 - Security-sysdiagnose v2 vt graph", "description": "", "modified": "2023-12-06T15:57:12.220000", "created": "2023-12-06T15:57:12.220000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1094, "domain": 253, "hostname": 624, "URL": 1545, "FileHash-MD5": 59, "FileHash-SHA1": 79 }, "indicator_count": 3656, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654593cc8486ce8ed1254858", "name": "Apple iOS | Skynet", "description": "", "modified": "2023-12-03T12:00:16.446000", "created": "2023-11-04T00:43:56.830000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "Poemhunter.com", "iphone-track-service.info", "track-idevice-location.info", "http://45.159.189.105/bot/regex", "chat.pornhub.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "6544f195987ad886d609d965", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 117, "FileHash-SHA256": 2855, "domain": 686, "hostname": 1730, "URL": 5380, "email": 2, "CVE": 3 }, "indicator_count": 10897, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544f195987ad886d609d965", "name": "Apple iOS | Skynet", "description": "PoemHunter.com\nAnti-Reverse Engineering Creates guarded memory regions (anti-debugging trick to avoid memory dumping)\ndetails , CNC\n tcp traffic, phishing, malicious, 24/7 tracking, monitoring, spyware, scanning host, malware host, command and control, adware, trojan, worm, apple iOS tracking, device location tracking, listening, information retrieval, malvertizing, BotNet service.", "modified": "2023-12-03T12:00:16.446000", "created": "2023-11-03T13:11:48.680000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "Poemhunter.com", "iphone-track-service.info", "track-idevice-location.info", "http://45.159.189.105/bot/regex", "chat.pornhub.dev" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 117, "FileHash-SHA256": 2855, "domain": 686, "hostname": 1730, "URL": 5380, "email": 2, "CVE": 3 }, "indicator_count": 10897, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "868 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f0382b35bbb50ddd70190", "name": "Vonteera PUA Installed", "description": "", "modified": "2023-11-28T12:02:42.639000", "created": "2023-10-30T01:14:42.967000", "tags": [ "sha1", "pehash", "highest f", "daily tn", "regsetvalueexa", "entries", "create tr", "search", "read c", "regdword", "noodle", "newsfeed", "malware", "copy", "write", "next", "win32", "tools", "vonteera", "useragent", "malware cve", "tls handshake", "failure", "vonteera pua", "malware install", "activity beacon", "http request", "less related", "pulses otx", "pulses", "shellexecuteexw", "delete tn", "onidle tn", "update", "scheduledscan", "dock", "nids", "united", "show", "crlf line", "unicode text", "lzma uwvs", "pj69l", "alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": "653e5c98b16bb2c8d16342f6", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 214, "FileHash-SHA256": 1280, "hostname": 210, "URL": 395, "SSLCertFingerprint": 2, "domain": 58 }, "indicator_count": 2395, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653e5c98b16bb2c8d16342f6", "name": "Vonteera PUA Installed", "description": "*Win32:Evo-gen\\ [Susp]\n\n*LZMA\nUWVS|$D$tD$s$B\u0004D$x\u0001\u000fJ\u0002IL$l\u000fJ\u0001HD$h$\u000f2ED$`\u0003t$dD$\\\u0001D$X\u0001D$T\u0001D$P\u0001\u000fJ\u0001\u00036\u00079L$ts\u000eD$xf\u0004\u0002", "modified": "2023-11-28T12:02:42.639000", "created": "2023-10-29T13:22:32.074000", "tags": [ "sha1", "pehash", "highest f", "daily tn", "regsetvalueexa", "entries", "create tr", "search", "read c", "regdword", "noodle", "newsfeed", "malware", "copy", "write", "next", "win32", "tools", "vonteera", "useragent", "malware cve", "tls handshake", "failure", "vonteera pua", "malware install", "activity beacon", "http request", "less related", "pulses otx", "pulses", "shellexecuteexw", "delete tn", "onidle tn", "update", "scheduledscan", "dock", "nids", "united", "show", "crlf line", "unicode text", "lzma uwvs", "pj69l", "alerts" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 214, "FileHash-SHA256": 1280, "hostname": 210, "URL": 395, "SSLCertFingerprint": 2, "domain": 58 }, "indicator_count": 2395, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64493d2d8f389a50446fe7a6", "name": "iOS 16.5 Beta 3 - Security-sysdiagnose v2 vt graph", "description": "prove me false positives are not the target of the bad guys", "modified": "2023-04-26T15:03:09.600000", "created": "2023-04-26T15:03:09.600000", "tags": [ "tlsfailureevent", "cktimeinterval", "cksuccess", "akerrorcode", "ckerrorcode", "akerrordomain", "aktimeinterval", "aksuccess", "akmatches", "forcesynckvs", "https://www.virustotal.com/graph/gec39ecdb2b6243d5818d40ed7191f1" ], "references": [ "CVE-2017-0147", "CVE-2017-11882 c887254bf98b3e6acbf3cd1869bdcbfb0f3abdc1168e2be8e04e93cbf6a48b9d", "https://www.virustotal.com/graph/gec39ecdb2b6243d5818d40ed7191f1d0840c1a86d34841a1b93a6d5fa9b956d2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1545, "hostname": 624, "domain": 253, "FileHash-SHA256": 1094, "CVE": 2, "IPv4": 111, "FileHash-MD5": 59, "FileHash-SHA1": 79 }, "indicator_count": 3767, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1089 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet", "Malicious IP Contacted: 69.42.215.252", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "www.onyx-ware.com \u2022 endgamesystems.com", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "NtProtectVirtualMemory@NTDLL.DLL", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "Researched: https://hcpf.colorado.gov/", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking", "The sca_esv parameter is a piece of data in the URL that's likely internal to Google's system for tracking, sorting, or customizing search results.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.vgt.pl/94.152.152.233/images/logo.png", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "CVE-2017-0147", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "https://www.google.com/search?client=safari&sca_esv= www2.megawebfind.com webfind. com \u2022 www6.mega www.google.com", "open.spotify.com \u2022", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "Domains Contacted: www2.megawebfind.com www.google.com www6.megawebfind.com", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net www2.megawebfind.com www.google.com www6.megawebfind.com", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "UPX_OEP_place", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy.", "76.76.21.61 command_and_control", "spywarewatchdog.org", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "http://freedns.afraid.org/images/apple.gif", "System has placed affected on multiple policies cancelling private policy without notice.", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "https://www.google.com/search", "http://watchhers.net/index.php", "https://prod.centurylinktechnology.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "http://partners.spycloud.com", "http://45.159.189.105/bot/regex", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "https://mobile-pocket-guide.centurylinktechnology.com", "This is why our team tells a back story. It can and does happen to anyone.", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://www.mumuplayer.com/redirect/customerservice/_wig", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "IDS Detections: Win32/Unruy.C Activity", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net", "millet-usgc-1.palantirfedstart.com", "I apologize if you don\u2019t like my background stories", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "Domains Contacted: www.download.windowsupdate.com ifdnzact.com d38psrni17bvxu.cloudfront.net", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .", "http://cve.chainguard.dev", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://signin-pro-azure.crayon.com/signin-oidc", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "https://www.vgt.pl/favicon.ico", "https://codesearch.criteois.com/opengrok/search?q=", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "https://www.sweetheartvideo.com/scenes?models=63710", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "https://hello.extendedstay.com/api/mailings/unsubscribe/PMRGSZBCHIYTGOBWGYYTOLBCN5ZGOIR2EI2DGYZVMQ3DMNZNGY3GEYZNGQ2GIMBNMEYGENBNGQZDMMZYGA3DGZRZGI4SELBCOZSXE43JN5XCEORCGQRCYITTNFTSEORCHAZEKSCRNZ3UWTKHLA4US2BWNFVWK2SKKNXHAZTBO5RGOY2FGFYUOTTGNRJHQ5RZFU4TAPJCPU", "Contacted Google services", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "chat.pornhub.dev", "8-25-220-162-static.reverse.queryfoundry.net", "http://consolefoundry.date/one/gate.php", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Tipped: A targets AI and other cyber research findings.", "https://communityinviter.com/apps/cloudfoundry/cloud-foundry", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "iphone-track-service.info", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "ASP. NET", "https://tulach.cc/", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "7box.vip", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "Poemhunter.com", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "We apologize for so may typos and errors. We strive to do better at that.", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "https://grok-chatbot.tapnetic.pro/$", "codewiki.google", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "https://www.teslarati.com/", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "https://elegantcosmedampyeah.pages.dev/", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "Alerts: console_output has_pdb pe_unknown_resource_name", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "Alerts: antisandbox_sleep creates_exe dropper stealth_window injection_process_search protection_rx", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "https://passwords.google/?utm_medium=hpp&utm", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "https://brand2.centurylinktechnology.com", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://git.spywarewatchdog.org", "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "Tesla Hackers | https://www.teslarati.com/spacex", "inst.govelopscold.com", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "https://www.google-analytics.com/debug/bootstrap?id=\\", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "66.33.60.130 command_and_control", "https://www.teslarati.com/spacex", "Python Wheel package", "cedevice.io \u2022 decagonsoftware.com", "Alerts: packer_unknown", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "DoD Network Information Center (DNIC)", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "pornhub-e.com \u2022 www.pornhub.com \u2022", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "Invalid IP (052.105.023.053)", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "https://palapa.c.id\t (c.id)", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com ocsp.pki.goog", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "I can\u2019t vouch for the safety of website above. First time user.", "IDS Detections Trojan.Generic.KDV.545753 Checkin", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://target.tccwest.www.littleswimmers.fr/", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.sweetheartvideo.com/model/63710/brandi-love", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction network_http", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "Alerts: injection_process_search protection_rx", "https://bot.dev.talos-systems.io/", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "https://www.virustotal.com/graph/gec39ecdb2b6243d5818d40ed7191f1d0840c1a86d34841a1b93a6d5fa9b956d2", "CVE-2017-11882 c887254bf98b3e6acbf3cd1869bdcbfb0f3abdc1168e2be8e04e93cbf6a48b9d", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "remotewd.com device local", "https://feedback.ptv.vic.gov.au/360", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "https://otx.alienvault.com/pulse/6976d6afd744c55bd596ed6e", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "A clients infected now former iOS device.", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "Source : Binary File ATT&CK ID T1566.002", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "Researched publicly available information provided by representative of a target\u2019s estate", "https://otx.alienvault.com/indicator/file/f3a939131ffaf473f8b1ffa0cd11d8cbce46f50dcc7e9fd2ff8404201ab5bc8e", "PE Version Information : TJprojMain.exe", "pcup.gov.ph:", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://brand.centurylinktechnology.com", "https://www.turbo.net/run/videolan/vlc", "https://shift.gearboxsoftware.com/link", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "track-idevice-location.info", "Yare: compromised_site_redirector_fromcharcode", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "Detected Non-Google domain serving Google homepage details", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Colorado Quasi Government | Workerk Compensation", "Tesla Hackers", "Quickstart" ], "malware_families": [ "Trojan:win32/zombie.a", "Alf:jasyp:trojan:win32/genmaldown!atmn", "Polyransom", "Virtool", "Pws:win32/zbot.ms!mtb", "Nids", "Win.packed.malwarex-9792170-0", "Trojan:win32/magania.dsk!mtb", "Trojanspy:win32/nivdort.cw", "Backdoor:win32/tofsee.t", "Win.packed.dapato-10021645-0", "Backdoor:win32/berbew.aa!mtb", "Alf:jasyp:trojan:win32/ircbot!atmn", "Alf:heraklezeval:pua:win32/ultradownloads", "Trojanspy:win32/nivdort", "Gravityrat", "Tofsee", "Carbanak", "Worm:win32/lightmoon.h", "Pegasus", "Win.dropper.nanocore-10021490-0", "Autorun", "Berbew", "Win.packed.eyestye-9754938-0", "Win.dropper.gh0strat-10028210-0", "Nivdort", "Win.malware.pits-10035540-0", "Win.ransomware.msilzilla-10014498-0", "Vd", "Win.packed.generic-9967832-0", "Ms defender\ttrojan:win32/qbot.kvd!mtb", "Jaik", "Psw:win32/vb.cu", "Win.malware.unruy-6912804-0", "Win.malware.snojan-6775202-0", "Ransom:win32/cve-2017-0147", "Formbook", "Cassini", "Trojandropper:win32/vb.il", "Exploit:linux/cve-2017-17215", "Other malware", "Trojan:win32/eyestye.t", "Malware gen", "Win.trojan.emotet-9850453", "Cve-2022-26134", "Lockbit", "Muldrop", "Worm:win32/autorun", "Multiple malware attack", "Et", "A variant of win32/kryptik.deoa", "Dorv", "Trojan:msil/agenttesla.dw!mtb", "Win.trojan.blacknetrat-7838854-0", "Trojan:win32/qshell", "Win.malware.jaik-9940406-0", "Zombie", "Darkmoon", "Win32:hacktoolx-gen\\ [trj]", "Hacktool:win32/cobaltstrike.a", "Worm:win32/mofksys.rnd!mtb", "Win.packed.remcos-10024510-0", "Domino", "Win.trojan.generic-9878032-0", "Malware", "Project nemesis", "Ransom", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Other dangerous malware", "Trojan:win32/zusy", "Backdoor:win32/kanav.a", "Emotet", "Trojan:win32/mydoom", "Upatre", "Win.exploit.rozena-10038302-0", "Wannacry", "Trojan:win32/zombie", "Malware packed", "Worm:win32/autorun!atmn", "Win.packed.stealerc-10017074-0", "Evo", "#lowfi:win32/autoit", "Lizar", "Trojan.tofsee/botx", "Trojan:win32/glupteba.mt!mtb", "Win.trojan.upatre-3371", "Trojanspy:msil/yakbeex.a", "Nufs_unicode", "Alf:heraklezeval:pua:win32/4shared", "Cve-2023-4966", "Win.trojan.starter-171", "Pws:win32/axespec.a", "Code overlap", "Alf:exploit:win32/gsharedinforef.a", "Cobalt strike", "Win.trojan.barys-10005825-0", "Win.trojan.12382640-1", "Trojandownloader:win32/upatre.a", "Win.dropper.poisonivy-9876745-0", "Win.dropper.lokibot-10010685-0", "Nemucod", "Eyestye", "Autoit", "Trojanspy" ], "industries": [ "Financial", "Entertainment", "Government", "Healthcare", "Oil", "Telecommunications", "Civilian", "Ecommerce", "Hospitality", "Technology", "Media" ], "unique_indicators": 196489 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/spywarewatchdog.org", "whois": "http://whois.domaintools.com/spywarewatchdog.org", "domain": "spywarewatchdog.org", "hostname": "git.spywarewatchdog.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 40, "pulses": [ { "id": "69b49ad5dd40a24d83cd6a72", "name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-03-13T23:16:37.716000", "created": "2026-03-13T23:16:37.716000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69631fbd16e306ee2b76c4da", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b496396ca4987e95ad37d1", "name": "Chris Buzz by QVashni (wow)", "description": "", "modified": "2026-03-13T22:56:57.314000", "created": "2026-03-13T22:56:57.314000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69482caa00d327da8f0a87bc", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b49587dd104e342dda1628", "name": "C Ahman Attorney Clone by Top Tier, Q.Vashti", "description": "", "modified": "2026-03-13T22:53:59.112000", "created": "2026-03-13T22:53:59.112000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69770bdfbdd845a3d5cb2484", "name": "Drive-by Compromise | Rootkit installed on Apple Device", "description": "Drive-by Compromise | Rootkit installed on Apple Device | The devices in this example are obviously compromised. We tested a device another Apple device by viewing a Sprouts Farmers Market E-commerce website. The App crashed revealing the source of the issue. I admit that even though device is HEAVILY compromised by threat actors; it continued to preform.\nThis week the Apple devices have experienced a series of BLACK & PINK stutters One had the letter \u2018P\u2019. The most important part of the research is who & why someone targets victims of crime who are either deceased or catastrophically injured. One victims \u2018voice\u2019 has been captured and is now calling people she knew and creeping them out. \n\nAlso curious about the \u2018Hello\u2019 api lineages. Malware packed. Check-ins & Bot Network found.\n\n[OTX auto populated- Here is the full list of URLs from the 20th anniversary of the birth of Daylin Olson, who was born and raised in New York in the US, and who he is now.]\n\n#stop", "modified": "2026-02-25T06:02:12.072000", "created": "2026-01-26T06:38:23.334000", "tags": [ "url https", "url http", "netherlands", "france", "united", "canada", "spain", "ascii text", "pattern match", "mitre att", "ck id", "null", "refresh", "title", "span", "hybrid", "general", "local", "path", "strings", "error", "tools", "look", "verify", "restart", "meta", "form", "bad traffic", "et info", "tls handshake", "failure", "flag", "windir", "openurl c", "prefetch2", "analysis", "ck matrix", "href", "network traffic", "encrypt", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "initial access", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "viewsize d5000", "viewsize c9000", "phishing", "filehandle", "report uid", "handles modules", "files amsi", "streams", "path filehandle", "porthandle", "modules files", "amsi streams", "accept", "starfield", "onload", "root", "backdoor", "passive dns", "next associated", "gmt location", "ipv4 add", "urls", "files", "search", "domain address", "markmonitor", "name server", "se referen", "ntprotec", "data upload", "extraction", "country", "overview dns", "requests domain", "date", "contacted hosts", "ip address", "defense evasion", "found", "size", "mask", "enterprise", "trojanspy", "checkin", "gmt content", "vercel x", "twitter", "trojan", "malware", "for privacy", "servers", "domains ii", "record value", "ca issuers", "unknown aaaa", "status", "present jul", "moved", "present jan", "present oct", "present sep", "unknown ns", "present dec", "ipv4", "url analysis", "location united", "1.25.26", "q.vashti pulse", "cloud", "foundry", "process details", "formbook cnc", "cape", "autoit", "high", "formbook", "yara rule", "delete", "get na", "write", "unknown", "copy", "autoit error", "autoIt paused", "global", "div div", "script script", "h6 div", "p div", "registrar", "project", "showing", "emails", "name servers", "ids detec", "domain", "hostname", "hello", "spyware" ], "references": [ "https://hello.extendedstay.com/api/mailings/unsubscribe/PMRGSZBCHIYTGOBWGYYTOLBCN5ZGOIR2EI2DGYZVMQ3DMNZNGY3GEYZNGQ2GIMBNMEYGENBNGQZDMMZYGA3DGZRZGI4SELBCOZSXE43JN5XCEORCGQRCYITTNFTSEORCHAZEKSCRNZ3UWTKHLA4US2BWNFVWK2SKKNXHAZTBO5RGOY2FGFYUOTTGNRJHQ5RZFU4TAPJCPU", "NtProtectVirtualMemory@NTDLL.DLL", "66.33.60.130 command_and_control", "76.76.21.61 command_and_control", "IDS Detections Trojan.Generic.KDV.545753 Checkin", "https://communityinviter.com/apps/cloudfoundry/cloud-foundry", "http://cve.chainguard.dev", "http://partners.spycloud.com", "https://signin-pro-azure.crayon.com/signin-oidc", "Invalid IP (052.105.023.053)", "https://codesearch.criteois.com/opengrok/search?q=", "https://grok-chatbot.tapnetic.pro/$", "spywarewatchdog.org", "http://git.spywarewatchdog.org", "https://bot.dev.talos-systems.io/", "https://otx.alienvault.com/pulse/6976d6afd744c55bd596ed6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Dropper.Gh0stRAT-10028210-0", "display_name": "Win.Dropper.Gh0stRAT-10028210-0", "target": null }, { "id": "Backdoor:Win32/Kanav.A", "display_name": "Backdoor:Win32/Kanav.A", "target": "/malware/Backdoor:Win32/Kanav.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Dropper.LokiBot-10010685-0", "display_name": "Win.Dropper.LokiBot-10010685-0", "target": null }, { "id": "Win.Packed.Dapato-10021645-0", "display_name": "Win.Packed.Dapato-10021645-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Packed.Malwarex-9792170-0", "display_name": "Win.Packed.Malwarex-9792170-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "AutoIt", "display_name": "AutoIt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" } ], "industries": [ "Ecommerce", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6777, "domain": 907, "hostname": 2070, "FileHash-SHA256": 1120, "FileHash-MD5": 202, "FileHash-SHA1": 184, "SSLCertFingerprint": 23, "email": 4 }, "indicator_count": 11287, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6964c08bf79bcb252eaa9e15", "name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers", "description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks", "modified": "2026-02-11T09:03:20.933000", "created": "2026-01-12T09:36:11.701000", "tags": [ "google", "fastly", "googlecl", "january", "http", "domain", "akamaias", "cloudflar", "page url", "de summary", "april", "reverse dns", "url https", "general full", "software", "united", "resource hash", "protocol h3", "security quic", "protocol h2", "security tls", "main", "present jan", "title", "gmt max", "certificate", "moved", "lowfi", "gmt content", "meta", "present dec", "status", "aaaa", "passive dns", "urls", "search", "expiration date", "win32", "files", "verdict", "files ip", "address", "mtb jan", "trojandropper", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "worm", "trojan", "ip address", "record value", "dark", "found", "ipv4 add", "error", "trojanspy", "emails", "servers", "pegasus", "america flag", "america asn", "tlsv1", "read c", "show", "medium", "lstockholm", "ospotify ab", "odigicert inc", "execution", "next", "dock", "write", "persistence", "dynamicloader", "yara rule", "ms windows", "pe32", "named pipe", "smartassembly", "delphi", "malware", "united states", "pe file", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "high", "write c", "tls sni", "tls handshake", "delete", "as15169", "stun binding", "request", "port", "win64", "themida", "guard", "risepro", "sha256", "sha1", "pattern match", "ascii text", "size", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "directui", "element", "hwndhost", "classinfobase", "hwndelement", "value", "explorer", "insert", "movie", "hacktool", "showing", "entries http", "scans show", "california", "location united", "next associated", "pulse pulses", "name servers", "found request", "unique", "url add", "related nids", "files location", "expiration", "flag united", "present nov", "present sep", "href", "suricata stream", "command decode", "starfield", "encrypt", "iframe", "date", "title error", "hostname", "pulse submit", "memcommit", "checks", "windows", "capture", "cloudfront", "colorado", "creation date", "hostname add", "eset", "binary file", "pdb path", "internalname", "nod32", "amon" ], "references": [ "open.spotify.com \u2022", "https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2", "https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2", "FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com", "https://target.tccwest.www.littleswimmers.fr/", "www.onyx-ware.com \u2022 endgamesystems.com", "cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "TrojanSpy:MSIL/Yakbeex.A", "display_name": "TrojanSpy:MSIL/Yakbeex.A", "target": "/malware/TrojanSpy:MSIL/Yakbeex.A" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32:HacktoolX-gen\\ [Trj]", "display_name": "Win32:HacktoolX-gen\\ [Trj]", "target": null }, { "id": "nUFS_unicode", "display_name": "nUFS_unicode", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "Win.Dropper.PoisonIvy-9876745-0", "display_name": "Win.Dropper.PoisonIvy-9876745-0", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Entertainment", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1293, "URL": 3389, "FileHash-MD5": 635, "FileHash-SHA1": 531, "FileHash-SHA256": 2345, "domain": 501, "email": 12, "SSLCertFingerprint": 16 }, "indicator_count": 8722, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69482caa00d327da8f0a87bc", "name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-21T17:21:46.434000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691f4d4ef0a2a570b8b21cd2", "name": "Chris P. Ahmann Colorado State Criminal Defense Attorney", "description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.", "modified": "2026-01-20T17:02:02.650000", "created": "2025-11-20T17:18:06.929000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695557ee134b978b00883c29", "name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-31T17:05:50.134000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://git.spywarewatchdog.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://git.spywarewatchdog.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776627831.775322 }