{ "type": "URL", "indicator": "https://mscsoftware.com.br", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mscsoftware.com.br", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4123959981, "indicator": "https://mscsoftware.com.br", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "68d2fd7e5c6df3c8a73f2852", "name": "ActionList_CCC", "description": "Crowdsourced IDS rules: \n*Matches rule PROTOCOL-ICMP PATH MTU denial of service attempt \n*Matches rule PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n*Matches rule PROTOCOL-ICMP Echo Reply\nUnique rule identifier:\nThis rule belongs to a private collection.", "modified": "2025-10-23T19:04:11.359000", "created": "2025-09-23T20:05:18.056000", "tags": [ "iframe tags", "learn", "alienvault", "open threat", "oc0006 http", "wininet c0005", "c0014", "http traffic", "match info", "info", "http get", "null target", "downloads", "https http", "ta0004 process", "injection t1055", "match low", "mutexes nothing", "data", "datacrashpad", "edge", "type data", "accept", "gmt ifnonematch", "url data", "ip address", "port", "cname", "involved dns", "name response", "nxdomain", "country name", "involved direct", "udp connections", "google tag", "gtmkvjvztk", "actionlistccc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 137, "FileHash-SHA1": 135, "FileHash-SHA256": 2018, "domain": 132, "hostname": 274, "URL": 365 }, "indicator_count": 3061, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c6026160a826c170a8ce93", "name": "Mira - Targeted attacks that demolished victim/s Media Platforms", "description": "Targeted attacks that demolished victim/s Media Platforms. \nDangerous crowd, bullied till the end, murder attempted hit by a vehicle many times on a one way. 22 year old who walked after attempting to drive her off I-25 Denver. Suffered more life threatening injuries. \nMonitored target. Crime: unwilling female trapped under nasty physical therapists crotch. No charges, no questions. No treatments except one SCI surgery that was 5 years too late. \nDenver is nuts. Denver law enforcement , quasi government , CBI & attorneys are corrupted. There\u2019s something to the wicked DIA theories. I wonder how many others have been silenced to death behind corporate greed. The PT who caused all\nof this is thoroughly treated as a victim. Family moved to safety? She was never the threat. TLB will always rest assured sheltered in the arms of God like she believed.\n#theft #rip #paypal #drive-by_compromise #mira #spotify #youtube #trulymissed", "modified": "2025-10-13T22:27:44.477000", "created": "2025-09-13T23:46:41.355000", "tags": [ "http traffic", "iframe src", "https http", "re att", "access ta0001", "t1189 severity", "info found", "command", "control ta0011", "protocol t1071", "info", "resolved ips", "ip traffic", "pattern domains", "pattern urls", "tls sni", "get http", "dns resolutions", "windows nt", "win64", "khtml", "gecko", "response", "user", "rules not", "registry keys", "detections not", "found mitre", "info ids", "sandbox", "number", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "ip address", "port", "http", "url data", "accept", "gmt ifnonematch", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "udp connections", "http requests", "cname", "nxdomain", "involved direct", "country name", "parent pid", "full path", "command line", "t1055 process", "layer protocol", "access t1189", "defense evasion", "discovery t1082", "control t1573", "youtube", "spotify", "spotify", "colorado blows" ], "references": [ "https://forward.ro/", "https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh", "http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Colorado corruption will be exposed one day.", "Discovery of targets pirated music led to her website down the next day! After 9 years?", "These greedy people & government grifters steal money from victims, including life insurance policies", "Stop following targets relatives everywhere , associates. Stop circling former residence..", "Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary", "Targets mother died in her bed in Castke Rock, Douglasc County, Colorado", "Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.", "Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .", "This information was brought to target by concerned entities who handled body.", "Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.", "First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.", "Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.", "Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "All", "display_name": "All", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Financial", "Media", "Targets" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 781, "hostname": 339, "FileHash-SHA256": 697, "FileHash-MD5": 112, "domain": 152, "FileHash-SHA1": 2 }, "indicator_count": 2083, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5e45fc1d3140ac91158ec", "name": "Drive by Compromise adversely impacted Social Media accounts", "description": "Exploitation to control at least one targeted users Social Media accounts, photo albums, clouds. Many deleted accounts, family photos, digital media, financial data, views, followers, intellectual property deleted and distributed to other artists , redirects. YouTube, Google, Spotify, Meta , Facebook.\n\nMonitored target. Crime: in the receiving end of an assaulters uncontrolled pelvis.\n\nRequires further research.\n#tag #framing #intellectual_property #theft #digital_attack", "modified": "2025-10-13T21:18:10.129000", "created": "2025-09-13T21:38:39.818000", "tags": [ "tries indicator", "loading", "script urls", "present sep", "meta", "script domains", "443 ma2592000", "certificate", "response ip", "address google", "present jun", "body", "encrypt", "utc na", "utc facebook", "custom audience", "utc google", "tag manager", "gtmnf34hh2d", "utc gb4qwskls89", "language", "html internet", "html document", "unicode text", "utf8 text", "crlf", "lf line", "doctype", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "resolved ips", "http traffic", "iframe src", "https http", "access ta0001", "t1189 severity", "info found", "command", "control ta0011", "protocol t1071", "match low", "info", "talents", "get http", "dns resolutions", "mitre att", "ip traffic", "pattern domains", "pattern urls", "tls sni", "youtube", "spotify", "social media", "google", "sabey type", "rexx type", "foundry type", "initial access", "paypal", "monitored target", "hallrender resources", "brian sabey charge", "quasi" ], "references": [ "https://forward.ro/talents/mira/ redirects to forward.ro", "Resolves to a suspicious TLD - \t encore.scdn.co", "Iframe src: https://www.youtube.com/embed/nuxT76ndwYY", "Iframe src: https://open.spotify.com/embed/artist/2nMFC7hWK0haX8ilvRpb59?utm_source=generator", "Iframe src: https://www.youtube.com/embed/SEBW2mh1jvY", "Iframe src: https://www.youtube.com/embed/o8_jPaXfxWY", "Dates back to a malicious ongoing Brian Sabey HallRender attacks using various malicious resources", "partnerapi.spotify.net \u2022 youtube.ru" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Media", "Technology", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 179, "domain": 55, "hostname": 121, "FileHash-SHA1": 3, "FileHash-SHA256": 560, "FileHash-MD5": 112, "email": 4 }, "indicator_count": 1034, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc597c34358af14891a484", "name": "A State: Government Financial Department affected by malware and threat actors", "description": "A State Governmental Financial Department contacted. Lightly researched link below.\nFinal URL: https://www.palantir.com/blocked/?blocker=Envoy&ip=35.243.23.172&vpcEndpoint=&errorInstanceId=b8ae0a73-8c2d-4d81-a6ea-ee53943e9485&targetDomain=millet-usgc-1.palantirfedstart. | 403 Code - contacted |", "modified": "2025-10-06T15:03:41.536000", "created": "2025-09-06T15:55:40.069000", "tags": [ "status", "united", "unknown ns", "search", "certificate", "passive dns", "urls", "record value", "emails", "date", "title", "present jul", "script urls", "security", "a domains", "script domains", "read", "meta", "443 ma86400", "next associated", "files show", "serving ip", "address", "status code", "body length", "b body", "sha256", "gmt server", "extraction f", "enter so", "type", "u extraction", "data upload", "extraction", "orbrop", "present aug", "present jun", "present oct", "entries", "present apr", "present nov", "gtmpsl84dj", "resolved ips", "c0002 wininet", "data", "datacrashpad", "edge", "url data", "accept", "gmt ifnonematch", "address port", "cname", "response", "nxdomain", "name n", "creation date", "domain add", "pulse pulses", "files", "ip address", "location united", "asn as13335", "whois registrar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1785, "domain": 710, "hostname": 949, "FileHash-SHA256": 864, "email": 4, "CVE": 3, "FileHash-MD5": 27, "FileHash-SHA1": 27 }, "indicator_count": 4369, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "208 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://forward.ro/talents/mira/ redirects to forward.ro", "https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "https://forward.ro/", "partnerapi.spotify.net \u2022 youtube.ru", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Iframe src: https://open.spotify.com/embed/artist/2nMFC7hWK0haX8ilvRpb59?utm_source=generator", "Discovery of targets pirated music led to her website down the next day! After 9 years?", "Iframe src: https://www.youtube.com/embed/o8_jPaXfxWY", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "Remotewd.com devices", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "Dates back to a malicious ongoing Brian Sabey HallRender attacks using various malicious resources", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "If you find anything interesting please research it.", "First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.", "Targets mother died in her bed in Castke Rock, Douglasc County, Colorado", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "(Can't access file- Malware infection files)", "Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target.", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/dailystaruk.js", "Resolves to a suspicious TLD - \t encore.scdn.co", "sentient.industries affects independent artists. Affects several others.", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary", "Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Stop following targets relatives everywhere , associates. Stop circling former residence..", "Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.", "These greedy people & government grifters steal money from victims, including life insurance policies", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "Colorado corruption will be exposed one day.", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "Iframe src: https://www.youtube.com/embed/nuxT76ndwYY", "Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "This information was brought to target by concerned entities who handled body.", "Iframe src: https://www.youtube.com/embed/SEBW2mh1jvY", "Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate ." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "#lowfi:hstr:msil/malicious.decryption", "Trojan:win32/zombie.a", "Win.packed.razy-9785185-0", "Dotnet", "Win.trojan.jorik-130", "Win.trojan.generic-9862772-0", "Trojan:win32/glupteba.mt!mtb", "Script exploit", "Win.trojan.jorik-149", "Nufs_inno", "Hacktool:win32/autokms", "Win.malware.kolab-9885903-0", "E5", "Custom malware", "Xanfpezes.a", "#lowfienabledtcontinueafterunpacking", "Win32:downloader-gjk\\ [trj]", "Win.trojan.fakecodecs-119", "All", "Win32/nemucod", "Win.downloader.109205-1", "Trojandropper:win32/muldrop", "Trojan:win32/toga", "Alf:hstr:dotnet", "Win.malware (30)", "Trojan:win32/zbot.sibl!mtb", "Ransom", "Win.trojan.bulz-9860169-0", "Pws", "Alf:heraklezeval:trojandownloader:html/adodb!rfn", "Alf:jasyp:pua:win32/bibado", "Ddos:win32/stormser.a", "#lowfidetectsvmware", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "#lowfi:hstr:msil/malicious", "Mydoom", "Win.malware.midie-6847892-0", "Trojandropper:win32/muldrop.v!mtb", "Trojan:win32/gandcrab", "Trojan:win32/blihan.a" ], "industries": [ "Media", "Government", "Targets", "Technology", "Financial" ], "unique_indicators": 61697 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mscsoftware.com.br", "whois": "http://whois.domaintools.com/mscsoftware.com.br", "domain": "mscsoftware.com.br", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "68d2fd7e5c6df3c8a73f2852", "name": "ActionList_CCC", "description": "Crowdsourced IDS rules: \n*Matches rule PROTOCOL-ICMP PATH MTU denial of service attempt \n*Matches rule PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n*Matches rule PROTOCOL-ICMP Echo Reply\nUnique rule identifier:\nThis rule belongs to a private collection.", "modified": "2025-10-23T19:04:11.359000", "created": "2025-09-23T20:05:18.056000", "tags": [ "iframe tags", "learn", "alienvault", "open threat", "oc0006 http", "wininet c0005", "c0014", "http traffic", "match info", "info", "http get", "null target", "downloads", "https http", "ta0004 process", "injection t1055", "match low", "mutexes nothing", "data", "datacrashpad", "edge", "type data", "accept", "gmt ifnonematch", "url data", "ip address", "port", "cname", "involved dns", "name response", "nxdomain", "country name", "involved direct", "udp connections", "google tag", "gtmkvjvztk", "actionlistccc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 137, "FileHash-SHA1": 135, "FileHash-SHA256": 2018, "domain": 132, "hostname": 274, "URL": 365 }, "indicator_count": 3061, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c6026160a826c170a8ce93", "name": "Mira - Targeted attacks that demolished victim/s Media Platforms", "description": "Targeted attacks that demolished victim/s Media Platforms. \nDangerous crowd, bullied till the end, murder attempted hit by a vehicle many times on a one way. 22 year old who walked after attempting to drive her off I-25 Denver. Suffered more life threatening injuries. \nMonitored target. Crime: unwilling female trapped under nasty physical therapists crotch. No charges, no questions. No treatments except one SCI surgery that was 5 years too late. \nDenver is nuts. Denver law enforcement , quasi government , CBI & attorneys are corrupted. There\u2019s something to the wicked DIA theories. I wonder how many others have been silenced to death behind corporate greed. The PT who caused all\nof this is thoroughly treated as a victim. Family moved to safety? She was never the threat. TLB will always rest assured sheltered in the arms of God like she believed.\n#theft #rip #paypal #drive-by_compromise #mira #spotify #youtube #trulymissed", "modified": "2025-10-13T22:27:44.477000", "created": "2025-09-13T23:46:41.355000", "tags": [ "http traffic", "iframe src", "https http", "re att", "access ta0001", "t1189 severity", "info found", "command", "control ta0011", "protocol t1071", "info", "resolved ips", "ip traffic", "pattern domains", "pattern urls", "tls sni", "get http", "dns resolutions", "windows nt", "win64", "khtml", "gecko", "response", "user", "rules not", "registry keys", "detections not", "found mitre", "info ids", "sandbox", "number", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "ip address", "port", "http", "url data", "accept", "gmt ifnonematch", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "udp connections", "http requests", "cname", "nxdomain", "involved direct", "country name", "parent pid", "full path", "command line", "t1055 process", "layer protocol", "access t1189", "defense evasion", "discovery t1082", "control t1573", "youtube", "spotify", "spotify", "colorado blows" ], "references": [ "https://forward.ro/", "https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh", "http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Colorado corruption will be exposed one day.", "Discovery of targets pirated music led to her website down the next day! After 9 years?", "These greedy people & government grifters steal money from victims, including life insurance policies", "Stop following targets relatives everywhere , associates. Stop circling former residence..", "Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary", "Targets mother died in her bed in Castke Rock, Douglasc County, Colorado", "Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.", "Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .", "This information was brought to target by concerned entities who handled body.", "Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.", "First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.", "Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.", "Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "All", "display_name": "All", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Financial", "Media", "Targets" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 781, "hostname": 339, "FileHash-SHA256": 697, "FileHash-MD5": 112, "domain": 152, "FileHash-SHA1": 2 }, "indicator_count": 2083, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5e45fc1d3140ac91158ec", "name": "Drive by Compromise adversely impacted Social Media accounts", "description": "Exploitation to control at least one targeted users Social Media accounts, photo albums, clouds. Many deleted accounts, family photos, digital media, financial data, views, followers, intellectual property deleted and distributed to other artists , redirects. YouTube, Google, Spotify, Meta , Facebook.\n\nMonitored target. Crime: in the receiving end of an assaulters uncontrolled pelvis.\n\nRequires further research.\n#tag #framing #intellectual_property #theft #digital_attack", "modified": "2025-10-13T21:18:10.129000", "created": "2025-09-13T21:38:39.818000", "tags": [ "tries indicator", "loading", "script urls", "present sep", "meta", "script domains", "443 ma2592000", "certificate", "response ip", "address google", "present jun", "body", "encrypt", "utc na", "utc facebook", "custom audience", "utc google", "tag manager", "gtmnf34hh2d", "utc gb4qwskls89", "language", "html internet", "html document", "unicode text", "utf8 text", "crlf", "lf line", "doctype", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "resolved ips", "http traffic", "iframe src", "https http", "access ta0001", "t1189 severity", "info found", "command", "control ta0011", "protocol t1071", "match low", "info", "talents", "get http", "dns resolutions", "mitre att", "ip traffic", "pattern domains", "pattern urls", "tls sni", "youtube", "spotify", "social media", "google", "sabey type", "rexx type", "foundry type", "initial access", "paypal", "monitored target", "hallrender resources", "brian sabey charge", "quasi" ], "references": [ "https://forward.ro/talents/mira/ redirects to forward.ro", "Resolves to a suspicious TLD - \t encore.scdn.co", "Iframe src: https://www.youtube.com/embed/nuxT76ndwYY", "Iframe src: https://open.spotify.com/embed/artist/2nMFC7hWK0haX8ilvRpb59?utm_source=generator", "Iframe src: https://www.youtube.com/embed/SEBW2mh1jvY", "Iframe src: https://www.youtube.com/embed/o8_jPaXfxWY", "Dates back to a malicious ongoing Brian Sabey HallRender attacks using various malicious resources", "partnerapi.spotify.net \u2022 youtube.ru" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Media", "Technology", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 179, "domain": 55, "hostname": 121, "FileHash-SHA1": 3, "FileHash-SHA256": 560, "FileHash-MD5": 112, "email": 4 }, "indicator_count": 1034, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc597c34358af14891a484", "name": "A State: Government Financial Department affected by malware and threat actors", "description": "A State Governmental Financial Department contacted. Lightly researched link below.\nFinal URL: https://www.palantir.com/blocked/?blocker=Envoy&ip=35.243.23.172&vpcEndpoint=&errorInstanceId=b8ae0a73-8c2d-4d81-a6ea-ee53943e9485&targetDomain=millet-usgc-1.palantirfedstart. | 403 Code - contacted |", "modified": "2025-10-06T15:03:41.536000", "created": "2025-09-06T15:55:40.069000", "tags": [ "status", "united", "unknown ns", "search", "certificate", "passive dns", "urls", "record value", "emails", "date", "title", "present jul", "script urls", "security", "a domains", "script domains", "read", "meta", "443 ma86400", "next associated", "files show", "serving ip", "address", "status code", "body length", "b body", "sha256", "gmt server", "extraction f", "enter so", "type", "u extraction", "data upload", "extraction", "orbrop", "present aug", "present jun", "present oct", "entries", "present apr", "present nov", "gtmpsl84dj", "resolved ips", "c0002 wininet", "data", "datacrashpad", "edge", "url data", "accept", "gmt ifnonematch", "address port", "cname", "response", "nxdomain", "name n", "creation date", "domain add", "pulse pulses", "files", "ip address", "location united", "asn as13335", "whois registrar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1785, "domain": 710, "hostname": 949, "FileHash-SHA256": 864, "email": 4, "CVE": 3, "FileHash-MD5": 27, "FileHash-SHA1": 27 }, "indicator_count": 4369, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "208 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mscsoftware.com.br", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mscsoftware.com.br", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776684409.0408823 }