{
"type": "URL",
"indicator": "https://nvfaxweb.marioncountyclerk.org",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://nvfaxweb.marioncountyclerk.org",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4077345315,
"indicator": "https://nvfaxweb.marioncountyclerk.org",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 11,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2ca40b12d7f02af896284",
"name": "Exploit Kit - 77.67.27.35 Isolated",
"description": "Information hastily gathered. IP 77.67.27.35\nbelongs to a server or device, WHOIS lookup indicates domain name cloud.com, owned by P.O. Box 412, 1043 CD, Amsterdam, Noord-Holland, NL | Summary ; ASN, AS3257 GTT Communications Inc. ; BGP, 77.67.0.0/17 ; IPs | BGP Looking Glass for AS3257 / GTT Communications Inc. | http.net - IP Transit Provider | Global Services - GTT | http://www.gtt.net Company Looking Glass: http://www.as3257.net/lg/ Info from single malicious file :Win32/Heur\n, \nTrojan.Crypted-29\nIDS Detections\nET POLICY Unsupported/Fake Windows NT Version 5.0\nET TROJAN Trojan/W32.KRBanker.60928.C Checkin\nYara Detections\nNone\nAlerts:\n\u2022 infostealer_browser\n\u2022 bypass_firewall\n\u2022 persistence_autorun\n\u2022 network_bind\n\u2022 network_http\n\u2022 packer_entropy\n- IP\u2019s Contacted :\n8.8.8.8 ,\n\n77.67.27.35 ,\n\n59.13.211.166 ,\n\n118.99.41.30 ,\nDomains Contacted :\nr.qzone.qq.com",
"modified": "2025-11-04T19:02:34.015000",
"created": "2025-10-05T19:42:56.097000",
"tags": [
"win32dh",
"mxigd4et",
"united",
"passive dns",
"entries",
"next associated",
"present oct",
"win32virut feb",
"all ipv4",
"pulse pulses",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"evasion att",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"pattern match",
"mitre att",
"show technique",
"null",
"refresh",
"body",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"information",
"whois",
"amsterdam",
"noordholland",
"summary",
"as3257 gtt",
"bgp looking",
"glass",
"as3257",
"ip transit",
"global",
"jfif",
"clsid",
"jpeg image",
"windows nt",
"gif image",
"msie",
"rgba",
"utf8 unicode",
"malware",
"copy",
"write",
"next",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pa",
"status",
"whois server",
"ripe ncc",
"ripe network"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"Korea, Republic of",
"Hong Kong"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 195,
"FileHash-SHA1": 106,
"FileHash-SHA256": 254,
"URL": 603,
"hostname": 256,
"domain": 74,
"CIDR": 3,
"email": 2
},
"indicator_count": 1493,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dbee57fc8b1739c2223376",
"name": "Serious Privacy Violations \u2022 Groundup Monitoring a Household \u2022 IoT",
"description": "Thank you for the tip. It\u2019s taken me 98 days to get to this one. Enlightening. \n\nI\u2019m going to reserve my comments. A lot of new stuff here. \n#Intrusive\n#helix #helix_foundry_connection #amazon #advesaries_in_the_middle",
"modified": "2025-10-30T14:05:43.818000",
"created": "2025-09-30T14:51:03.111000",
"tags": [
"united",
"trojandropper",
"passive dns",
"lowfi",
"head meta",
"moved title",
"twitter",
"moved",
"a href",
"present sep",
"aaaa",
"ireland",
"ip address",
"emails",
"reverse dns",
"malware",
"unruy",
"upatre",
"snowjan",
"zusy",
"vb",
"x.com",
"downloader",
"trojan",
"agent",
"pe32 executable",
"intel",
"ms windows",
"reads",
"medium",
"write",
"delete",
"top source",
"push",
"germany unknown",
"name servers",
"head body",
"urls",
"files ip",
"url analysis",
"address",
"asn as3320",
"present jun",
"present jul",
"present may",
"present oct",
"present feb",
"present nov",
"url hostname",
"server response",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"development att",
"ssl certificate",
"path",
"sha256",
"pattern match",
"ffffff",
"general",
"iframe",
"click",
"strings",
"leon",
"dns requests",
"domain address",
"http",
"files domain",
"files related",
"ireland unknown",
"files",
"dublin",
"ireland asn",
"as16509",
"script urls",
"dubai real",
"meta",
"encrypt",
"austria unknown",
"austria asn",
"asnone dns",
"resolutions",
"handle",
"rdap database",
"iana registrar",
"helix",
"foundry",
"iot",
"apple",
"itunes",
"amazon",
"unknown ns",
"found",
"content type",
"gmt server",
"x xss",
"certificate",
"domain add",
"error",
"code",
"date",
"entries",
"next associated",
"body html",
"title",
"present aug",
"servers",
"status",
"for privacy",
"redacted for",
"spawns",
"ck techniques",
"url add",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"media",
"cname",
"invalid url",
"creation date",
"body",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"ascii text",
"mitre att",
"show technique",
"hybrid",
"local"
],
"references": [
"families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh",
"t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de",
"www.n-helix.com - Foundry remnant",
"itunes.apple.com \u2022 api.amazon.com",
"https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net",
"https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano",
"http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win.Malware.Zusy",
"display_name": "Win.Malware.Zusy",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Win.Malware.Snojan",
"display_name": "Win.Malware.Snojan",
"target": null
},
{
"id": "Win.Packed",
"display_name": "Win.Packed",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "ALF:Trojan:Win32/Agent.WTK!MTB",
"display_name": "ALF:Trojan:Win32/Agent.WTK!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3399,
"domain": 790,
"FileHash-MD5": 174,
"FileHash-SHA1": 171,
"FileHash-SHA256": 3349,
"hostname": 1325,
"email": 10,
"SSLCertFingerprint": 9
},
"indicator_count": 9227,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 148,
"modified_text": "213 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "246 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ae5b9ef87646927a236b61",
"name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry",
"description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems",
"modified": "2025-09-26T00:01:12.214000",
"created": "2025-08-27T01:13:02.780000",
"tags": [
"google",
"mullvad browser",
"value",
"incognito mode",
"mine",
"unix time",
"friday",
"january",
"does",
"tor browser",
"search",
"show",
"langchinese",
"packing t1045",
"t1045",
"medium",
"pe resource",
"module load",
"t1129",
"service",
"trojan",
"copy",
"dock",
"write",
"malware",
"clock",
"united",
"passive dns",
"urls",
"next associated",
"gmt cache",
"ipv4 add",
"pulse pulses",
"files",
"reverse dns",
"win32",
"title",
"location united",
"america flag",
"america asn",
"as15169 google",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"present aug",
"china unknown",
"creation date",
"date",
"domain",
"ip address",
"domain name",
"expiration date",
"status ok",
"nanjing",
"accept",
"body",
"div td",
"td tr",
"div div",
"span span",
"a li",
"span p",
"p div",
"moved",
"a domains",
"open",
"span",
"uuupupu",
"t1055",
"process32nextw",
"high",
"windows",
"high defense",
"evasion",
"delphi",
"google gmail",
"images sign",
"advanced search",
"solutions",
"privacy",
"store gmail",
"delete delete",
"report",
"how search",
"applying ai",
"settings search",
"advanced",
"search search",
"search help",
"domainabuse",
"showing",
"hostname add",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses none",
"related tags",
"read c",
"tlsv1",
"whitelisted",
"port",
"destination",
"ascii text",
"next",
"encrypt",
"script urls",
"msie",
"chrome",
"bad gateway",
"script domains",
"present feb",
"link",
"meta",
"digital",
"language",
"body doctype",
"ghost",
"present jun",
"aaaa",
"present jul",
"present oct",
"record value",
"yara detections",
"dock zone",
"top source",
"top destination",
"source source",
"filehash",
"code",
"error",
"windows nt",
"wow64",
"slcc2",
"media center",
"execution",
"persistence",
"tulach",
"brian sabey",
"dod network",
"orgtechref",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity dnic",
"handle",
"whois lookup",
"dod",
"et trojan",
"server header",
"suspicious",
"et info",
"unknown",
"virustotal",
"specified",
"download",
"et",
"please",
"type size",
"first seen",
"loading",
"python wheel",
"dynamicloader",
"intel",
"ms windows",
"pe32",
"entries",
"user agent",
"powershell",
"agent",
"yara rule",
"checks",
"levelblue",
"open threat",
"observed dns",
"query",
"dns lookup",
"msdos",
"wannacry dns",
"lookup",
"wannacry",
"worm",
"explorer",
"msil",
"darkcomet",
"ping",
"tools",
"capture",
"hallrender",
"dga domains",
"unfurl sites",
"honey net",
"bot",
"nxdomain",
"potential-c2"
],
"references": [
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"DoD Network Information Center (DNIC)",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"Python Wheel package",
"https://www.google.com/search",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Magania.DSK!MTB",
"display_name": "Trojan:Win32/Magania.DSK!MTB",
"target": "/malware/Trojan:Win32/Magania.DSK!MTB"
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "a variant of Win32/Kryptik.DEOA",
"display_name": "a variant of Win32/Kryptik.DEOA",
"target": null
},
{
"id": "ALF:Exploit:Win32/gSharedInfoRef.A",
"display_name": "ALF:Exploit:Win32/gSharedInfoRef.A",
"target": null
},
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian"
],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8221,
"domain": 1216,
"FileHash-SHA256": 2434,
"FileHash-MD5": 296,
"FileHash-SHA1": 155,
"hostname": 2939,
"email": 7,
"SSLCertFingerprint": 8,
"CIDR": 2
},
"indicator_count": 15278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "247 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687d5d33d16ab7837e23bc01",
"name": "howmanyofme.com - Packed | Palantir",
"description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme",
"modified": "2025-09-18T23:05:18.490000",
"created": "2025-07-20T21:18:43.974000",
"tags": [
"united",
"unknown ns",
"a domains",
"ip address",
"search",
"privacy service",
"fbo registrant",
"date",
"entries",
"how many",
"destination",
"port",
"windows nt",
"msie",
"unknown",
"et trojan",
"poodle attack",
"policy sslv3",
"united kingdom",
"suspicious",
"copy",
"virustotal",
"malware",
"write",
"hostile",
"next",
"triton",
"super node",
"get reloaded",
"x11 snf",
"png image",
"rgba",
"post reloaded",
"ascii text",
"crlf line",
"gnu message",
"ms windows",
"intel",
"pe32",
"host",
"get babylon",
"show",
"babylon"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7185,
"domain": 706,
"hostname": 1906,
"email": 5,
"FileHash-SHA256": 3645,
"FileHash-MD5": 330,
"FileHash-SHA1": 135,
"CVE": 1
},
"indicator_count": 13913,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "254 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688f2a4444334746890f3b39",
"name": "Bank of America Scam",
"description": "Bank of America scams that being carried out for at least 8 years. Group able to steal your credentials, investments, insurance policies, skimming, small to large false charges, account theft. 9/2024 BoFa was investigated by me. They had experienced a major , sophisticated compromise. At least one branch is run by unfriendly investigators or authorities. All regular staff was moved to different branches. I witnessed personnel accessing a customer\u2019s account without customer presenting ID or giving name. Customer was concerned, staffer just stated he remembered their business name. Another customer was being harassed to close business account for an hour and another staffer took a consumers debit card and denied it prompting an internal investigation. Finally a \u2018manager\u2019 said they experienced a major hack. Research shows customers weren\u2019t informed. . Further research is necessary.\nAnybody? \n#theft #skimming #cancellations #false_charges #debitcardfraud #botnetcallcenter",
"modified": "2025-09-02T08:02:34.108000",
"created": "2025-08-03T09:22:12.846000",
"tags": [
"united",
"link",
"ip address",
"creation date",
"search",
"record value",
"showing",
"unknown ns",
"present mar",
"a domains",
"date",
"meta",
"starfield",
"entries",
"show",
"windows",
"msie",
"http",
"medium",
"post http",
"delete",
"ids detections",
"malware",
"copy",
"drweb",
"write",
"win32",
"global",
"present jul",
"error",
"lowfi",
"trojanspy",
"checkin",
"passive dns",
"trojan",
"next associated",
"cryp",
"present aug",
"urls",
"address",
"hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"pulse",
"less whois",
"registrar",
"adylkuzz cnc",
"beacon",
"get http",
"exe payload",
"read",
"suspicious"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 171,
"URL": 873,
"domain": 180,
"hostname": 332,
"email": 3,
"FileHash-SHA256": 698,
"FileHash-SHA1": 167
},
"indicator_count": 2424,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "271 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688d9f7c357111d3ad843c16",
"name": "Follower Factory - Virus:Win32/Shodi.I | Trojan Agent",
"description": "Follower factories sell followers , shout outs & retweets to celebrities, businesses, anyone. Buying followers is not encouraged by the those \u2018target\u2019 worked with. On several occasions Brashears had to have Bank refund her $1000\u2019s in unauthorized Facebook advertising charges finally, 2 of her banks accounts , l Brashears had to delete a photo of herself that gained a suspicious 12,000+ in Filipino likes & comments.. Target deleted 3000 sudden faceless twitter bots shortly before her Twitter accounts was stolen. Bad actors marketed her music on malicious websites. Hacking Tsara began in 2013 after assault, Followers began after Brian Sabey contacted Tsara Brashears @ Song Culture email. Site became filled with trackers at one time and advertised her commutes on Yandex..1st contact Sabey , initially asked what the company did via email.",
"modified": "2025-09-01T02:00:30.266000",
"created": "2025-08-02T05:17:48.231000",
"tags": [
"destination",
"port",
"united",
"show",
"search",
"get http",
"host sinkhole",
"cookie value",
"et trojan",
"unknown",
"possible",
"write",
"win32",
"nivdort",
"artemis",
"malware",
"zeus gameover",
"copy",
"next",
"date",
"no expiration",
"ipv4",
"expiration",
"url http",
"domain",
"iocs",
"drop or",
"browse to",
"select file",
"or drop",
"united kingdom",
"entries",
"next associated",
"unknown a",
"showing",
"urls show",
"date checked",
"url hostname",
"server response",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"md5 add",
"passive dns",
"great britain",
"present jul",
"urls",
"files",
"reverse dns",
"data upload",
"extraction",
"failed",
"virus",
"file score",
"medium risk",
"related pulses",
"none related"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 351,
"FileHash-SHA1": 344,
"FileHash-SHA256": 1546,
"URL": 3435,
"domain": 796,
"hostname": 801
},
"indicator_count": 7273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "272 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "318 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186983a4dd00c2b45b255",
"name": "Source:\thttps://cloud.samsara.com/o/79639/flee",
"description": "",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:15:36.505000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "685186035e5fb63846d29e45",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "318 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://es.pornhat.com/models/the-sex-creator/",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"http://remote.edikamin.com/",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net",
"DoD Network Information Center (DNIC)",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"simswap.in (possible Mirai or relationship to)",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Can the DoD no questions asked target a SA victim",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Python Wheel package",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://meumundogay-com.sexogratis.page/locker",
"Target agreed and complied with all lie detector measures.",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"There is fear in silence or speaking out",
"www.n-helix.com - Foundry remnant",
"t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"http://deposito.hostance.net/dialer/",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"iamrobert.com Y.A.S.",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"I am very upset. Whoever is doing this is sick.",
"http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com",
"https://www.google.com/search",
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"itunes.apple.com \u2022 api.amazon.com",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"A variant of win32/kryptik.deoa",
"Alf:trojan:win32/agent.wtk!mtb",
"Unruy",
"Wannacry",
"Malware",
"Virtool:win32/autinject.cz!bit",
"!#addscopy-tostartup",
"Trojan:win32/zusy",
"Alf:heraklezeval:pua:win32/keygen",
"Alf:exploit:win32/gsharedinforef.a",
"Cve-2023-22518",
"Win.malware.snojan",
"Trojan:win32/startpage.aea",
"Trojan:win32/qqpass",
"Trojandownloader:win32/banload.d",
"Banload",
"Trojan:win32/diamin.f",
"Warzonerat - s0670",
"Win32:cabmod\\ [drp]",
"Apnic",
"#lowfi:hstr:msil/possibledownloader.s01",
"Dialer",
"Win32:evo-gen",
"Win.trojan.agent-316098",
"Upatre",
"Trojan:win32/magania.dsk!mtb",
"Trojandropper:win32/vb.il",
"Et",
"Virtool:win32/injector.gen!bq",
"Win.malware.zusy",
"Win.packed",
"Trojandropper:win32/hupigon.gen!a"
],
"industries": [
"Telecommunications",
"Civilian",
"Technology",
"Media",
"Telecom"
],
"unique_indicators": 83170
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/marioncountyclerk.org",
"whois": "http://whois.domaintools.com/marioncountyclerk.org",
"domain": "marioncountyclerk.org",
"hostname": "nvfaxweb.marioncountyclerk.org"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 11,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2ca40b12d7f02af896284",
"name": "Exploit Kit - 77.67.27.35 Isolated",
"description": "Information hastily gathered. IP 77.67.27.35\nbelongs to a server or device, WHOIS lookup indicates domain name cloud.com, owned by P.O. Box 412, 1043 CD, Amsterdam, Noord-Holland, NL | Summary ; ASN, AS3257 GTT Communications Inc. ; BGP, 77.67.0.0/17 ; IPs | BGP Looking Glass for AS3257 / GTT Communications Inc. | http.net - IP Transit Provider | Global Services - GTT | http://www.gtt.net Company Looking Glass: http://www.as3257.net/lg/ Info from single malicious file :Win32/Heur\n, \nTrojan.Crypted-29\nIDS Detections\nET POLICY Unsupported/Fake Windows NT Version 5.0\nET TROJAN Trojan/W32.KRBanker.60928.C Checkin\nYara Detections\nNone\nAlerts:\n\u2022 infostealer_browser\n\u2022 bypass_firewall\n\u2022 persistence_autorun\n\u2022 network_bind\n\u2022 network_http\n\u2022 packer_entropy\n- IP\u2019s Contacted :\n8.8.8.8 ,\n\n77.67.27.35 ,\n\n59.13.211.166 ,\n\n118.99.41.30 ,\nDomains Contacted :\nr.qzone.qq.com",
"modified": "2025-11-04T19:02:34.015000",
"created": "2025-10-05T19:42:56.097000",
"tags": [
"win32dh",
"mxigd4et",
"united",
"passive dns",
"entries",
"next associated",
"present oct",
"win32virut feb",
"all ipv4",
"pulse pulses",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"evasion att",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"pattern match",
"mitre att",
"show technique",
"null",
"refresh",
"body",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"information",
"whois",
"amsterdam",
"noordholland",
"summary",
"as3257 gtt",
"bgp looking",
"glass",
"as3257",
"ip transit",
"global",
"jfif",
"clsid",
"jpeg image",
"windows nt",
"gif image",
"msie",
"rgba",
"utf8 unicode",
"malware",
"copy",
"write",
"next",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pa",
"status",
"whois server",
"ripe ncc",
"ripe network"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"Korea, Republic of",
"Hong Kong"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 195,
"FileHash-SHA1": 106,
"FileHash-SHA256": 254,
"URL": 603,
"hostname": 256,
"domain": 74,
"CIDR": 3,
"email": 2
},
"indicator_count": 1493,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dbee57fc8b1739c2223376",
"name": "Serious Privacy Violations \u2022 Groundup Monitoring a Household \u2022 IoT",
"description": "Thank you for the tip. It\u2019s taken me 98 days to get to this one. Enlightening. \n\nI\u2019m going to reserve my comments. A lot of new stuff here. \n#Intrusive\n#helix #helix_foundry_connection #amazon #advesaries_in_the_middle",
"modified": "2025-10-30T14:05:43.818000",
"created": "2025-09-30T14:51:03.111000",
"tags": [
"united",
"trojandropper",
"passive dns",
"lowfi",
"head meta",
"moved title",
"twitter",
"moved",
"a href",
"present sep",
"aaaa",
"ireland",
"ip address",
"emails",
"reverse dns",
"malware",
"unruy",
"upatre",
"snowjan",
"zusy",
"vb",
"x.com",
"downloader",
"trojan",
"agent",
"pe32 executable",
"intel",
"ms windows",
"reads",
"medium",
"write",
"delete",
"top source",
"push",
"germany unknown",
"name servers",
"head body",
"urls",
"files ip",
"url analysis",
"address",
"asn as3320",
"present jun",
"present jul",
"present may",
"present oct",
"present feb",
"present nov",
"url hostname",
"server response",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"development att",
"ssl certificate",
"path",
"sha256",
"pattern match",
"ffffff",
"general",
"iframe",
"click",
"strings",
"leon",
"dns requests",
"domain address",
"http",
"files domain",
"files related",
"ireland unknown",
"files",
"dublin",
"ireland asn",
"as16509",
"script urls",
"dubai real",
"meta",
"encrypt",
"austria unknown",
"austria asn",
"asnone dns",
"resolutions",
"handle",
"rdap database",
"iana registrar",
"helix",
"foundry",
"iot",
"apple",
"itunes",
"amazon",
"unknown ns",
"found",
"content type",
"gmt server",
"x xss",
"certificate",
"domain add",
"error",
"code",
"date",
"entries",
"next associated",
"body html",
"title",
"present aug",
"servers",
"status",
"for privacy",
"redacted for",
"spawns",
"ck techniques",
"url add",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"media",
"cname",
"invalid url",
"creation date",
"body",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"ascii text",
"mitre att",
"show technique",
"hybrid",
"local"
],
"references": [
"families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh",
"t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de",
"www.n-helix.com - Foundry remnant",
"itunes.apple.com \u2022 api.amazon.com",
"https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net",
"https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano",
"http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win.Malware.Zusy",
"display_name": "Win.Malware.Zusy",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Win.Malware.Snojan",
"display_name": "Win.Malware.Snojan",
"target": null
},
{
"id": "Win.Packed",
"display_name": "Win.Packed",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "ALF:Trojan:Win32/Agent.WTK!MTB",
"display_name": "ALF:Trojan:Win32/Agent.WTK!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3399,
"domain": 790,
"FileHash-MD5": 174,
"FileHash-SHA1": 171,
"FileHash-SHA256": 3349,
"hostname": 1325,
"email": 10,
"SSLCertFingerprint": 9
},
"indicator_count": 9227,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 148,
"modified_text": "213 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "246 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ae5b9ef87646927a236b61",
"name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry",
"description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems",
"modified": "2025-09-26T00:01:12.214000",
"created": "2025-08-27T01:13:02.780000",
"tags": [
"google",
"mullvad browser",
"value",
"incognito mode",
"mine",
"unix time",
"friday",
"january",
"does",
"tor browser",
"search",
"show",
"langchinese",
"packing t1045",
"t1045",
"medium",
"pe resource",
"module load",
"t1129",
"service",
"trojan",
"copy",
"dock",
"write",
"malware",
"clock",
"united",
"passive dns",
"urls",
"next associated",
"gmt cache",
"ipv4 add",
"pulse pulses",
"files",
"reverse dns",
"win32",
"title",
"location united",
"america flag",
"america asn",
"as15169 google",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"present aug",
"china unknown",
"creation date",
"date",
"domain",
"ip address",
"domain name",
"expiration date",
"status ok",
"nanjing",
"accept",
"body",
"div td",
"td tr",
"div div",
"span span",
"a li",
"span p",
"p div",
"moved",
"a domains",
"open",
"span",
"uuupupu",
"t1055",
"process32nextw",
"high",
"windows",
"high defense",
"evasion",
"delphi",
"google gmail",
"images sign",
"advanced search",
"solutions",
"privacy",
"store gmail",
"delete delete",
"report",
"how search",
"applying ai",
"settings search",
"advanced",
"search search",
"search help",
"domainabuse",
"showing",
"hostname add",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses none",
"related tags",
"read c",
"tlsv1",
"whitelisted",
"port",
"destination",
"ascii text",
"next",
"encrypt",
"script urls",
"msie",
"chrome",
"bad gateway",
"script domains",
"present feb",
"link",
"meta",
"digital",
"language",
"body doctype",
"ghost",
"present jun",
"aaaa",
"present jul",
"present oct",
"record value",
"yara detections",
"dock zone",
"top source",
"top destination",
"source source",
"filehash",
"code",
"error",
"windows nt",
"wow64",
"slcc2",
"media center",
"execution",
"persistence",
"tulach",
"brian sabey",
"dod network",
"orgtechref",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity dnic",
"handle",
"whois lookup",
"dod",
"et trojan",
"server header",
"suspicious",
"et info",
"unknown",
"virustotal",
"specified",
"download",
"et",
"please",
"type size",
"first seen",
"loading",
"python wheel",
"dynamicloader",
"intel",
"ms windows",
"pe32",
"entries",
"user agent",
"powershell",
"agent",
"yara rule",
"checks",
"levelblue",
"open threat",
"observed dns",
"query",
"dns lookup",
"msdos",
"wannacry dns",
"lookup",
"wannacry",
"worm",
"explorer",
"msil",
"darkcomet",
"ping",
"tools",
"capture",
"hallrender",
"dga domains",
"unfurl sites",
"honey net",
"bot",
"nxdomain",
"potential-c2"
],
"references": [
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"DoD Network Information Center (DNIC)",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"Python Wheel package",
"https://www.google.com/search",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Magania.DSK!MTB",
"display_name": "Trojan:Win32/Magania.DSK!MTB",
"target": "/malware/Trojan:Win32/Magania.DSK!MTB"
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "a variant of Win32/Kryptik.DEOA",
"display_name": "a variant of Win32/Kryptik.DEOA",
"target": null
},
{
"id": "ALF:Exploit:Win32/gSharedInfoRef.A",
"display_name": "ALF:Exploit:Win32/gSharedInfoRef.A",
"target": null
},
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian"
],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8221,
"domain": 1216,
"FileHash-SHA256": 2434,
"FileHash-MD5": 296,
"FileHash-SHA1": 155,
"hostname": 2939,
"email": 7,
"SSLCertFingerprint": 8,
"CIDR": 2
},
"indicator_count": 15278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "247 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687d5d33d16ab7837e23bc01",
"name": "howmanyofme.com - Packed | Palantir",
"description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme",
"modified": "2025-09-18T23:05:18.490000",
"created": "2025-07-20T21:18:43.974000",
"tags": [
"united",
"unknown ns",
"a domains",
"ip address",
"search",
"privacy service",
"fbo registrant",
"date",
"entries",
"how many",
"destination",
"port",
"windows nt",
"msie",
"unknown",
"et trojan",
"poodle attack",
"policy sslv3",
"united kingdom",
"suspicious",
"copy",
"virustotal",
"malware",
"write",
"hostile",
"next",
"triton",
"super node",
"get reloaded",
"x11 snf",
"png image",
"rgba",
"post reloaded",
"ascii text",
"crlf line",
"gnu message",
"ms windows",
"intel",
"pe32",
"host",
"get babylon",
"show",
"babylon"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7185,
"domain": 706,
"hostname": 1906,
"email": 5,
"FileHash-SHA256": 3645,
"FileHash-MD5": 330,
"FileHash-SHA1": 135,
"CVE": 1
},
"indicator_count": 13913,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "254 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688f2a4444334746890f3b39",
"name": "Bank of America Scam",
"description": "Bank of America scams that being carried out for at least 8 years. Group able to steal your credentials, investments, insurance policies, skimming, small to large false charges, account theft. 9/2024 BoFa was investigated by me. They had experienced a major , sophisticated compromise. At least one branch is run by unfriendly investigators or authorities. All regular staff was moved to different branches. I witnessed personnel accessing a customer\u2019s account without customer presenting ID or giving name. Customer was concerned, staffer just stated he remembered their business name. Another customer was being harassed to close business account for an hour and another staffer took a consumers debit card and denied it prompting an internal investigation. Finally a \u2018manager\u2019 said they experienced a major hack. Research shows customers weren\u2019t informed. . Further research is necessary.\nAnybody? \n#theft #skimming #cancellations #false_charges #debitcardfraud #botnetcallcenter",
"modified": "2025-09-02T08:02:34.108000",
"created": "2025-08-03T09:22:12.846000",
"tags": [
"united",
"link",
"ip address",
"creation date",
"search",
"record value",
"showing",
"unknown ns",
"present mar",
"a domains",
"date",
"meta",
"starfield",
"entries",
"show",
"windows",
"msie",
"http",
"medium",
"post http",
"delete",
"ids detections",
"malware",
"copy",
"drweb",
"write",
"win32",
"global",
"present jul",
"error",
"lowfi",
"trojanspy",
"checkin",
"passive dns",
"trojan",
"next associated",
"cryp",
"present aug",
"urls",
"address",
"hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"pulse",
"less whois",
"registrar",
"adylkuzz cnc",
"beacon",
"get http",
"exe payload",
"read",
"suspicious"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 171,
"URL": 873,
"domain": 180,
"hostname": 332,
"email": 3,
"FileHash-SHA256": 698,
"FileHash-SHA1": 167
},
"indicator_count": 2424,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "271 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688d9f7c357111d3ad843c16",
"name": "Follower Factory - Virus:Win32/Shodi.I | Trojan Agent",
"description": "Follower factories sell followers , shout outs & retweets to celebrities, businesses, anyone. Buying followers is not encouraged by the those \u2018target\u2019 worked with. On several occasions Brashears had to have Bank refund her $1000\u2019s in unauthorized Facebook advertising charges finally, 2 of her banks accounts , l Brashears had to delete a photo of herself that gained a suspicious 12,000+ in Filipino likes & comments.. Target deleted 3000 sudden faceless twitter bots shortly before her Twitter accounts was stolen. Bad actors marketed her music on malicious websites. Hacking Tsara began in 2013 after assault, Followers began after Brian Sabey contacted Tsara Brashears @ Song Culture email. Site became filled with trackers at one time and advertised her commutes on Yandex..1st contact Sabey , initially asked what the company did via email.",
"modified": "2025-09-01T02:00:30.266000",
"created": "2025-08-02T05:17:48.231000",
"tags": [
"destination",
"port",
"united",
"show",
"search",
"get http",
"host sinkhole",
"cookie value",
"et trojan",
"unknown",
"possible",
"write",
"win32",
"nivdort",
"artemis",
"malware",
"zeus gameover",
"copy",
"next",
"date",
"no expiration",
"ipv4",
"expiration",
"url http",
"domain",
"iocs",
"drop or",
"browse to",
"select file",
"or drop",
"united kingdom",
"entries",
"next associated",
"unknown a",
"showing",
"urls show",
"date checked",
"url hostname",
"server response",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"md5 add",
"passive dns",
"great britain",
"present jul",
"urls",
"files",
"reverse dns",
"data upload",
"extraction",
"failed",
"virus",
"file score",
"medium risk",
"related pulses",
"none related"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 351,
"FileHash-SHA1": 344,
"FileHash-SHA256": 1546,
"URL": 3435,
"domain": 796,
"hostname": 801
},
"indicator_count": 7273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "272 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "318 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://nvfaxweb.marioncountyclerk.org",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://nvfaxweb.marioncountyclerk.org",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780255682.1348763
}