{ "type": "URL", "indicator": "https://pajamasly.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pajamasly.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4154962354, "indicator": "https://pajamasly.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695c7b40f5d2f292a7512e81", "name": "USteal Reputation Smear | Malicious Media | TrojanSpy - CrazyFrost.com", "description": "Who is CrazyFrost? USteal Reputation Smear | Malicious Media | TrojanSpy would affect anyone who clicks on honeypot / dga domain. iPhone spyware. We\u2019ve been working on exposing spyware. Emotet / AutoIT , cabs, password stealer, and more found. Investigators and attorneys from the past Investigators reported victims life, was being promoted over the dark web. From bathing to cooking , conversations to arguments, getting dressed to passing gas. Haha. Small cameras were accessed remotely in her former. Castle Pines, Co hideaway. A third investigator confirmed tiny cameras were installed when victim was in staycationing. When family arrived home garage door and secured doors were boldly left open. Crazy True. [otx auto generated- The following is the full text of the public-key-precert-scts, which has been posted on the website of Redporn.video, the site of an unauthorised sex tape.]", "modified": "2026-02-05T02:03:26.707000", "created": "2026-01-06T03:02:24.932000", "tags": [ "gmtn", "log id", "ca issuers", "b0n timestamp", "signature", "d097", "f2334482", "fc46", "b10b2898797d", "fingerprintsha1", "tsara", "we1 certificate", "dynamicloader", "medium", "write c", "host", "yara rule", "myapp", "delphi", "worm", "win32", "error", "write", "code", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "execution att", "t1204 user", "united", "mitre att", "ck matrix", "flag", "ogoogle trust", "href", "network traffic", "span", "babe", "super", "close", "general", "local", "path", "encrypt", "click", "strings", "form", "extraction", "data upload", "all ht", "enter source", "one on", "tezunau", "daut un", "dauwol lype", "ur extraction", "extrac", "n tezunau", "one opa", "included review", "faileextra", "include data", "review exclude", "sugges", "delete c", "json", "ascii text", "high", "data", "search", "stream", "unknown", "push", "next", "dirty", "enter s", "type", "extr data", "include", "ff d5", "ee fc", "eb d8", "f0 ff", "ff bb", "fd ff", "ff eb", "ed b8", "agent", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "read c", "execution", "dock", "persistence", "sc data", "present jan", "present mar", "present dec", "unknown aaaa", "passive dns", "urls", "trojanspy", "date", "present feb", "susp", "moved", "ip address", "backdoor", "usteal", "body", "title", "hybrid", "regopenkeyexa", "memcommit", "regsz", "english", "copy", "ufr stealer", "markus", "april", "updater", "entries", "rsds", "c reg", "environment", "launch" ], "references": [ "https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn", "guidepaparazzisurface.com", "http://www.crazyfrost.com\t\u2022 http://www.crazyfrost", "http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\", "iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err", "iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/", "https://chaturbate.com/notabottom/", "https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2543, "hostname": 848, "FileHash-SHA256": 1320, "SSLCertFingerprint": 25, "domain": 463, "FileHash-MD5": 418, "FileHash-SHA1": 197, "email": 2 }, "indicator_count": 5816, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695ea667a062ed6688b104ab", "name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ", "description": "", "modified": "2026-01-07T18:31:03.104000", "created": "2026-01-07T18:31:03.104000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": "692897a64c0e255409b5a67e", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "102 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695ea6590a50f71a156c9a7f", "name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ", "description": "", "modified": "2026-01-07T18:30:49.442000", "created": "2026-01-07T18:30:49.442000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": "692897a64c0e255409b5a67e", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "102 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692897a64c0e255409b5a67e", "name": "Frost Security | Attorneys | Government | Crazy", "description": "Dangerous. Being abused by the usual quasi government suspects. Affecting many targets including Candace Owens. Who can you turn to when your own government is 100% corrupt. \n\nCall me crazy. Idk. DJT was likely shot with a High Velocity Paint Ball. Why isn\u2019t anyone interviewing the families of the 3 \u2018allegedly\u2019 successfully assassinated. \n\nIs Charlie Kirk Dead or in hiding, an alien that doesn\u2019t bleed? \n\nLook it up. High Velocity Paint Ball is a very intensely underrated, nharsky spoken about sport enjoyed by gun enthusiast , snipers , military, civilians. Something weird is going on and it\u2019s actually obvious because they just want results.\n There\u2019s more disturbing things to come. I think more people are being taken out this way than we know.\nBy now I\u2019m under too much surveillance to just leave out casually. \nTerrifying for sure. I know Hos of the Bible is bigger.", "modified": "2025-12-27T17:01:06.155000", "created": "2025-11-27T18:25:42.570000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://youjizz.sex/tsara-brashears.html", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn", "iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.xvxx.me/search/tsara-brashears/", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Suspicious Activity potential UPnProxy", "https://cpcontacts.apple4you.it", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://www.crazyfrost.com\t\u2022 http://www.crazyfrost", "http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\", "Targeting Tsara Brasheras and associated", "https://www.sweetheartvideo.com/tsara-brashear", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "http://videolal.com/tsara-brashears-dead.html", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://www.bukaporn.net/trend/tsara-brashears/", "iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "Alerts: infostealer_cookies antiav_detectfile", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "https://chaturbate.com/notabottom/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "Antivirus Detections: Trojan:Win32/Dorv.A", "http://www.tryporn.net/seach/tsara-brashears/", "Yara: Detections Delphi", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://fs25.mygamesteam.com/download/underground-parking/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://mom2fuck.mobi/tsara-brashears.html", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "https://alohatube.xyz/search/tsara-brashearsL", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "guidepaparazzisurface.com", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "http://advocate-smyslova.ru/tsara-brashears/", "Yara Detections: is__elf , ECHOBOT", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule", "Antivirus Detections: Win.Malware.Pits-10035540-0", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "Alerts: dead_host network_icmp tcp_by", "http://orangeporntube.net/tsara-brashears.html", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "http://onlyindianporn2.com/videos/tsara-brashears/", "Targeting Candace Owens", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Alf:heraklezeval:trojan:win32/clipbanker", "Other malware", "Ddos:linux/gafgyt.ya!mtb", "Unix.trojan.gafgyt-698115", "Deathhiddentear (large&small ht) >", "Trojanspy:win32/usteal", "Elf:ddos-s\\ [trj]", "Pykspa.c", "Tr", "Autoit", "Ms defender\talf:heraklezeval:trojan:win32/clipbanker", "Trojan:win32/dorv.a", "Win.packed.usteal-7531303-0", "4-0 win.malware.pits-10035540-0" ], "industries": [ "Government", "Healthcare", "Defense" ], "unique_indicators": 25332 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pajamasly.com", "whois": "http://whois.domaintools.com/pajamasly.com", "domain": "pajamasly.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695c7b40f5d2f292a7512e81", "name": "USteal Reputation Smear | Malicious Media | TrojanSpy - CrazyFrost.com", "description": "Who is CrazyFrost? USteal Reputation Smear | Malicious Media | TrojanSpy would affect anyone who clicks on honeypot / dga domain. iPhone spyware. We\u2019ve been working on exposing spyware. Emotet / AutoIT , cabs, password stealer, and more found. Investigators and attorneys from the past Investigators reported victims life, was being promoted over the dark web. From bathing to cooking , conversations to arguments, getting dressed to passing gas. Haha. Small cameras were accessed remotely in her former. Castle Pines, Co hideaway. A third investigator confirmed tiny cameras were installed when victim was in staycationing. When family arrived home garage door and secured doors were boldly left open. Crazy True. [otx auto generated- The following is the full text of the public-key-precert-scts, which has been posted on the website of Redporn.video, the site of an unauthorised sex tape.]", "modified": "2026-02-05T02:03:26.707000", "created": "2026-01-06T03:02:24.932000", "tags": [ "gmtn", "log id", "ca issuers", "b0n timestamp", "signature", "d097", "f2334482", "fc46", "b10b2898797d", "fingerprintsha1", "tsara", "we1 certificate", "dynamicloader", "medium", "write c", "host", "yara rule", "myapp", "delphi", "worm", "win32", "error", "write", "code", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "execution att", "t1204 user", "united", "mitre att", "ck matrix", "flag", "ogoogle trust", "href", "network traffic", "span", "babe", "super", "close", "general", "local", "path", "encrypt", "click", "strings", "form", "extraction", "data upload", "all ht", "enter source", "one on", "tezunau", "daut un", "dauwol lype", "ur extraction", "extrac", "n tezunau", "one opa", "included review", "faileextra", "include data", "review exclude", "sugges", "delete c", "json", "ascii text", "high", "data", "search", "stream", "unknown", "push", "next", "dirty", "enter s", "type", "extr data", "include", "ff d5", "ee fc", "eb d8", "f0 ff", "ff bb", "fd ff", "ff eb", "ed b8", "agent", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "read c", "execution", "dock", "persistence", "sc data", "present jan", "present mar", "present dec", "unknown aaaa", "passive dns", "urls", "trojanspy", "date", "present feb", "susp", "moved", "ip address", "backdoor", "usteal", "body", "title", "hybrid", "regopenkeyexa", "memcommit", "regsz", "english", "copy", "ufr stealer", "markus", "april", "updater", "entries", "rsds", "c reg", "environment", "launch" ], "references": [ "https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn", "guidepaparazzisurface.com", "http://www.crazyfrost.com\t\u2022 http://www.crazyfrost", "http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\", "iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err", "iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/", "https://chaturbate.com/notabottom/", "https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2543, "hostname": 848, "FileHash-SHA256": 1320, "SSLCertFingerprint": 25, "domain": 463, "FileHash-MD5": 418, "FileHash-SHA1": 197, "email": 2 }, "indicator_count": 5816, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695ea667a062ed6688b104ab", "name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ", "description": "", "modified": "2026-01-07T18:31:03.104000", "created": "2026-01-07T18:31:03.104000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": "692897a64c0e255409b5a67e", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "102 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695ea6590a50f71a156c9a7f", "name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ", "description": "", "modified": "2026-01-07T18:30:49.442000", "created": "2026-01-07T18:30:49.442000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": "692897a64c0e255409b5a67e", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "102 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692897a64c0e255409b5a67e", "name": "Frost Security | Attorneys | Government | Crazy", "description": "Dangerous. Being abused by the usual quasi government suspects. Affecting many targets including Candace Owens. Who can you turn to when your own government is 100% corrupt. \n\nCall me crazy. Idk. DJT was likely shot with a High Velocity Paint Ball. Why isn\u2019t anyone interviewing the families of the 3 \u2018allegedly\u2019 successfully assassinated. \n\nIs Charlie Kirk Dead or in hiding, an alien that doesn\u2019t bleed? \n\nLook it up. High Velocity Paint Ball is a very intensely underrated, nharsky spoken about sport enjoyed by gun enthusiast , snipers , military, civilians. Something weird is going on and it\u2019s actually obvious because they just want results.\n There\u2019s more disturbing things to come. I think more people are being taken out this way than we know.\nBy now I\u2019m under too much surveillance to just leave out casually. \nTerrifying for sure. I know Hos of the Bible is bigger.", "modified": "2025-12-27T17:01:06.155000", "created": "2025-11-27T18:25:42.570000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pajamasly.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pajamasly.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776640803.1549635 }