{
"type": "URL",
"indicator": "https://ns-729.awsdns-27.net/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://ns-729.awsdns-27.net/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4127535419,
"indicator": "https://ns-729.awsdns-27.net/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 3,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690a2c38de1708af54217faa",
"name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
"description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
"modified": "2025-12-04T15:01:02.531000",
"created": "2025-11-04T16:39:20.035000",
"tags": [
"present aug",
"moved",
"encrypt",
"present jul",
"passive dns",
"ipv4 add",
"reverse dns",
"united states",
"present may",
"ip address",
"gmt content",
"ipv4",
"all ipv4",
"america",
"united",
"present oct",
"name servers",
"redacted for",
"emails",
"for privacy",
"unknown ns",
"unknown aaaa",
"dynamicloader",
"focus region",
"unicode text",
"utf16",
"ms windows",
"bokeh onlycanon",
"zeiss jena",
"mcsonnar",
"high",
"win64",
"stream",
"write",
"smartassembly",
"trailer",
"next",
"search",
"medium",
"as15169",
"write c",
"reads",
"team",
"malware",
"local",
"yara detections",
"delphi",
"strings",
"dcom",
"form",
"trojandropper",
"mtb nov",
"backdoor",
"otx telemetry",
"trojan",
"type",
"data upload",
"extraction",
"ol rop",
"hash avast",
"avg clamav",
"msdefender nov",
"win32upatre nov",
"win32berbew nov",
"dynamic",
"pe section",
"error",
"close",
"status",
"urls",
"expiration date",
"hostname",
"url analysis",
"yara rule",
"show",
"binary file",
"wine emulator",
"mtb oct",
"files",
"denmark asn",
"as32934",
"candyopen",
"possible",
"smoke loader",
"trojanspy",
"filehash",
"pulses otx",
"related tags",
"file type",
"no analysis",
"available",
"api key",
"screenshots",
"present nov",
"aaaa",
"mtb may",
"mexico",
"hostname add",
"registrar",
"domain add",
"location united",
"email add",
"none related",
"domains",
"email domain",
"service",
"domain",
"america flag",
"body",
"title",
"aws dns",
"next associated",
"risepro",
"guard",
"v full",
"reports v",
"t1059 shared",
"modules",
"t1129 system",
"t1569",
"help v",
"t1179 boot",
"logon autost",
"encoding",
"packing f0001",
"hidden files",
"e1203 windows",
"file attributes",
"registry value",
"catalog tree",
"analysis ob0001",
"evasion b0003",
"virtual machine",
"ip traffic",
"memory pattern",
"pattern urls",
"tls sni",
"get https",
"post https",
"named pipe",
"delete c",
"radar",
"defender",
"format",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"country",
"contacted hosts",
"process details",
"flag",
"globalc",
"intel",
"win32",
"worm",
"path",
"explorer",
"script",
"href",
"external",
"html content",
"tulach",
"hallrender",
"tam legal",
"brian sabey",
"christopher ahmann",
"apple",
"msie",
"chrome",
"ascio",
"creation date",
"date",
"germany unknown",
"germany asn",
"files ip",
"address",
"asn as24940",
"less",
"script urls",
"a domains",
"prox",
"dennis schrder",
"meta",
"apache",
"99u25f.exe",
"entries",
"as24940 hetzner",
"dns resolutions",
"status code",
"body length",
"kb body",
"software/ hardware",
"external-resources",
"password-input",
"overview",
"colorado"
],
"references": [
"https://shift.gearboxsoftware.com/link",
"https://tulach.cc/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://www.turbo.net/run/videolan/vlc",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
],
"public": 1,
"adversary": "Colorado Quasi Government | Workerk Compensation",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9878032-0",
"display_name": "Win.Trojan.Generic-9878032-0",
"target": null
},
{
"id": "Win.Trojan.Starter-171",
"display_name": "Win.Trojan.Starter-171",
"target": null
},
{
"id": "GravityRAT",
"display_name": "GravityRAT",
"target": null
},
{
"id": "Backdoor:Win32/Berbew.AA!MTB",
"display_name": "Backdoor:Win32/Berbew.AA!MTB",
"target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
},
{
"id": "Trojan:MSIL/AgentTesla.DW!MTB",
"display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
"target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Nemucod",
"display_name": "Nemucod",
"target": null
},
{
"id": "Berbew",
"display_name": "Berbew",
"target": null
},
{
"id": "PWS:Win32/Zbot.MS!MTB",
"display_name": "PWS:Win32/Zbot.MS!MTB",
"target": "/malware/PWS:Win32/Zbot.MS!MTB"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Exploit.Rozena-10038302-0",
"display_name": "Win.Exploit.Rozena-10038302-0",
"target": null
},
{
"id": "Zombie",
"display_name": "Zombie",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Dorv",
"display_name": "Dorv",
"target": null
},
{
"id": "Win.Malware.Pits-10035540-0",
"display_name": "Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "Exploit:Linux/CVE-2017-17215",
"display_name": "Exploit:Linux/CVE-2017-17215",
"target": "/malware/Exploit:Linux/CVE-2017-17215"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2022-26134",
"display_name": "CVE-2022-26134",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6051,
"hostname": 2627,
"FileHash-MD5": 401,
"FileHash-SHA1": 257,
"email": 11,
"domain": 1838,
"FileHash-SHA256": 1742,
"CVE": 4,
"SSLCertFingerprint": 3
},
"indicator_count": 12934,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "178 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bc597c34358af14891a484",
"name": "A State: Government Financial Department affected by malware and threat actors",
"description": "A State Governmental Financial Department contacted. Lightly researched link below.\nFinal URL: https://www.palantir.com/blocked/?blocker=Envoy&ip=35.243.23.172&vpcEndpoint=&errorInstanceId=b8ae0a73-8c2d-4d81-a6ea-ee53943e9485&targetDomain=millet-usgc-1.palantirfedstart. | 403 Code - contacted |",
"modified": "2025-10-06T15:03:41.536000",
"created": "2025-09-06T15:55:40.069000",
"tags": [
"status",
"united",
"unknown ns",
"search",
"certificate",
"passive dns",
"urls",
"record value",
"emails",
"date",
"title",
"present jul",
"script urls",
"security",
"a domains",
"script domains",
"read",
"meta",
"443 ma86400",
"next associated",
"files show",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"gmt server",
"extraction f",
"enter so",
"type",
"u extraction",
"data upload",
"extraction",
"orbrop",
"present aug",
"present jun",
"present oct",
"entries",
"present apr",
"present nov",
"gtmpsl84dj",
"resolved ips",
"c0002 wininet",
"data",
"datacrashpad",
"edge",
"url data",
"accept",
"gmt ifnonematch",
"address port",
"cname",
"response",
"nxdomain",
"name n",
"creation date",
"domain add",
"pulse pulses",
"files",
"ip address",
"location united",
"asn as13335",
"whois registrar"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1785,
"domain": 710,
"hostname": 949,
"FileHash-SHA256": 864,
"email": 4,
"CVE": 3,
"FileHash-MD5": 27,
"FileHash-SHA1": 27
},
"indicator_count": 4369,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "237 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://shift.gearboxsoftware.com/link",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"Same legal , and quasi governmental pattern identified",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"I apologize for the lack of reference.",
"https://l.us-1.a.mimecastprotect.com/l",
"https://tulach.cc/",
"It appears there are 5-7 known affected that I was able to find",
"Requires further research.",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"div>
",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://www.turbo.net/run/videolan/vlc",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Colorado Quasi Government | Workerk Compensation"
],
"malware_families": [
"Backdoor:win32/berbew.aa!mtb",
"Zombie",
"Cve-2022-26134",
"Gravityrat",
"Ransom:win32/cve-2017-0147",
"Trojan:msil/agenttesla.dw!mtb",
"Upatre",
"Win.malware.pits-10035540-0",
"Alf:heraklezeval:trojan:msil/gravityrat!rfn",
"Berbew",
"Win.exploit.rozena-10038302-0",
"Exploit:linux/cve-2017-17215",
"Muldrop",
"Win.trojan.barys-10005825-0",
"Cve-2023-4966",
"Win.ransomware.msilzilla-10014498-0",
"Mydoom",
"Nemucod",
"Trojan:win32/smkldr.h!mtb",
"Trojandropper:win32/vb.il",
"Pws:win32/zbot.ms!mtb",
"Trojan:win32/zombie",
"Win.trojan.starter-171",
"Dorv",
"Win.trojan.generic-9878032-0",
"Worm:win32/mofksys.rnd!mtb",
"Icedid",
"#lowfi:lua:dllsuspiciousexport.a",
"Trojanspy"
],
"industries": [
"Telecom",
"Legal",
"Technology"
],
"unique_indicators": 29911
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/awsdns-27.net",
"whois": "http://whois.domaintools.com/awsdns-27.net",
"domain": "awsdns-27.net",
"hostname": "ns-729.awsdns-27.net"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 3,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690a2c38de1708af54217faa",
"name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
"description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
"modified": "2025-12-04T15:01:02.531000",
"created": "2025-11-04T16:39:20.035000",
"tags": [
"present aug",
"moved",
"encrypt",
"present jul",
"passive dns",
"ipv4 add",
"reverse dns",
"united states",
"present may",
"ip address",
"gmt content",
"ipv4",
"all ipv4",
"america",
"united",
"present oct",
"name servers",
"redacted for",
"emails",
"for privacy",
"unknown ns",
"unknown aaaa",
"dynamicloader",
"focus region",
"unicode text",
"utf16",
"ms windows",
"bokeh onlycanon",
"zeiss jena",
"mcsonnar",
"high",
"win64",
"stream",
"write",
"smartassembly",
"trailer",
"next",
"search",
"medium",
"as15169",
"write c",
"reads",
"team",
"malware",
"local",
"yara detections",
"delphi",
"strings",
"dcom",
"form",
"trojandropper",
"mtb nov",
"backdoor",
"otx telemetry",
"trojan",
"type",
"data upload",
"extraction",
"ol rop",
"hash avast",
"avg clamav",
"msdefender nov",
"win32upatre nov",
"win32berbew nov",
"dynamic",
"pe section",
"error",
"close",
"status",
"urls",
"expiration date",
"hostname",
"url analysis",
"yara rule",
"show",
"binary file",
"wine emulator",
"mtb oct",
"files",
"denmark asn",
"as32934",
"candyopen",
"possible",
"smoke loader",
"trojanspy",
"filehash",
"pulses otx",
"related tags",
"file type",
"no analysis",
"available",
"api key",
"screenshots",
"present nov",
"aaaa",
"mtb may",
"mexico",
"hostname add",
"registrar",
"domain add",
"location united",
"email add",
"none related",
"domains",
"email domain",
"service",
"domain",
"america flag",
"body",
"title",
"aws dns",
"next associated",
"risepro",
"guard",
"v full",
"reports v",
"t1059 shared",
"modules",
"t1129 system",
"t1569",
"help v",
"t1179 boot",
"logon autost",
"encoding",
"packing f0001",
"hidden files",
"e1203 windows",
"file attributes",
"registry value",
"catalog tree",
"analysis ob0001",
"evasion b0003",
"virtual machine",
"ip traffic",
"memory pattern",
"pattern urls",
"tls sni",
"get https",
"post https",
"named pipe",
"delete c",
"radar",
"defender",
"format",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"country",
"contacted hosts",
"process details",
"flag",
"globalc",
"intel",
"win32",
"worm",
"path",
"explorer",
"script",
"href",
"external",
"html content",
"tulach",
"hallrender",
"tam legal",
"brian sabey",
"christopher ahmann",
"apple",
"msie",
"chrome",
"ascio",
"creation date",
"date",
"germany unknown",
"germany asn",
"files ip",
"address",
"asn as24940",
"less",
"script urls",
"a domains",
"prox",
"dennis schrder",
"meta",
"apache",
"99u25f.exe",
"entries",
"as24940 hetzner",
"dns resolutions",
"status code",
"body length",
"kb body",
"software/ hardware",
"external-resources",
"password-input",
"overview",
"colorado"
],
"references": [
"https://shift.gearboxsoftware.com/link",
"https://tulach.cc/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://www.turbo.net/run/videolan/vlc",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
],
"public": 1,
"adversary": "Colorado Quasi Government | Workerk Compensation",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9878032-0",
"display_name": "Win.Trojan.Generic-9878032-0",
"target": null
},
{
"id": "Win.Trojan.Starter-171",
"display_name": "Win.Trojan.Starter-171",
"target": null
},
{
"id": "GravityRAT",
"display_name": "GravityRAT",
"target": null
},
{
"id": "Backdoor:Win32/Berbew.AA!MTB",
"display_name": "Backdoor:Win32/Berbew.AA!MTB",
"target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
},
{
"id": "Trojan:MSIL/AgentTesla.DW!MTB",
"display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
"target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Nemucod",
"display_name": "Nemucod",
"target": null
},
{
"id": "Berbew",
"display_name": "Berbew",
"target": null
},
{
"id": "PWS:Win32/Zbot.MS!MTB",
"display_name": "PWS:Win32/Zbot.MS!MTB",
"target": "/malware/PWS:Win32/Zbot.MS!MTB"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Exploit.Rozena-10038302-0",
"display_name": "Win.Exploit.Rozena-10038302-0",
"target": null
},
{
"id": "Zombie",
"display_name": "Zombie",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Dorv",
"display_name": "Dorv",
"target": null
},
{
"id": "Win.Malware.Pits-10035540-0",
"display_name": "Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "Exploit:Linux/CVE-2017-17215",
"display_name": "Exploit:Linux/CVE-2017-17215",
"target": "/malware/Exploit:Linux/CVE-2017-17215"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2022-26134",
"display_name": "CVE-2022-26134",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6051,
"hostname": 2627,
"FileHash-MD5": 401,
"FileHash-SHA1": 257,
"email": 11,
"domain": 1838,
"FileHash-SHA256": 1742,
"CVE": 4,
"SSLCertFingerprint": 3
},
"indicator_count": 12934,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "178 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bc597c34358af14891a484",
"name": "A State: Government Financial Department affected by malware and threat actors",
"description": "A State Governmental Financial Department contacted. Lightly researched link below.\nFinal URL: https://www.palantir.com/blocked/?blocker=Envoy&ip=35.243.23.172&vpcEndpoint=&errorInstanceId=b8ae0a73-8c2d-4d81-a6ea-ee53943e9485&targetDomain=millet-usgc-1.palantirfedstart. | 403 Code - contacted |",
"modified": "2025-10-06T15:03:41.536000",
"created": "2025-09-06T15:55:40.069000",
"tags": [
"status",
"united",
"unknown ns",
"search",
"certificate",
"passive dns",
"urls",
"record value",
"emails",
"date",
"title",
"present jul",
"script urls",
"security",
"a domains",
"script domains",
"read",
"meta",
"443 ma86400",
"next associated",
"files show",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"gmt server",
"extraction f",
"enter so",
"type",
"u extraction",
"data upload",
"extraction",
"orbrop",
"present aug",
"present jun",
"present oct",
"entries",
"present apr",
"present nov",
"gtmpsl84dj",
"resolved ips",
"c0002 wininet",
"data",
"datacrashpad",
"edge",
"url data",
"accept",
"gmt ifnonematch",
"address port",
"cname",
"response",
"nxdomain",
"name n",
"creation date",
"domain add",
"pulse pulses",
"files",
"ip address",
"location united",
"asn as13335",
"whois registrar"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1785,
"domain": 710,
"hostname": 949,
"FileHash-SHA256": 864,
"email": 4,
"CVE": 3,
"FileHash-MD5": 27,
"FileHash-SHA1": 27
},
"indicator_count": 4369,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "237 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://ns-729.awsdns-27.net/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://ns-729.awsdns-27.net/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780289047.382872
}