{ "type": "URL", "indicator": "https://restadesk.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://restadesk.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3469067559, "indicator": "https://restadesk.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69a9ce01247e20a6471da4c6", "name": "@scnrscnr Public", "description": "", "modified": "2026-03-06T05:11:18.452000", "created": "2026-03-05T18:40:01.671000", "tags": [ "Steven Crowder" ], "references": [], "public": 1, "adversary": "LOSER", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "Fake news", "Shit heels" ], "TLP": "white", "cloned_from": "62f81314ac5e791af1f2f00d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 789, "domain": 387, "URL": 1733, "CVE": 1, "FileHash-SHA256": 212 }, "indicator_count": 3122, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686d28ec9208b0424e0ccad2", "name": "Remote Keylogger | Foundry", "description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.", "modified": "2025-09-19T03:02:22.742000", "created": "2025-07-08T14:19:24.211000", "tags": [ "delete", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "intel", "write", "malware", "dynamicloader", "yara rule", "high", "vmware", "phishing", "remote", "keylogger", "remote keylogger", "type indicator", "related pulses", "no expiration", "url https", "showing", "reputation", "foundry", "apple", "downloader", "trojan" ], "references": [ "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 199.59.243.226", "\u2022 ww25.vpn.steamcommunity-site.info", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Reputation.1", "display_name": "Reputation.1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [ "Telecommunications", "Technology", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 244, "FileHash-SHA256": 4406, "URL": 9684, "domain": 3164, "hostname": 3370, "CVE": 1 }, "indicator_count": 21129, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708f57867c1032f7d21ff6", "name": "TSULoader.exe - aka: 7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a", "description": "", "modified": "2023-12-06T15:12:23.002000", "created": "2023-12-06T15:12:23.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 287, "FileHash-SHA1": 269, "FileHash-SHA256": 509, "domain": 238, "hostname": 566, "URL": 1688 }, "indicator_count": 3557, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "646e74e5062377cf3de86dab", "name": "Twitter sso sign in to vrus total fails with error of incorrect details yet i totaly bypssed any logn page to input my details", "description": "91.195.240.46 looks interesting, guess this all relates to how twitter amongst other big named sites are being abused globally on a grand scale", "modified": "2023-06-23T22:24:17.732000", "created": "2023-05-24T20:34:45.072000", "tags": [ "sha1", "sha256", "ssdeep", "ezd87bmo tlsh", "html magic", "html document", "ascii text", "trid hypertext", "markup language", "file size", "twitter failed Virustotal sso sign im", "91.195.240.46" ], "references": [ "https://www.virustotal.com/gui/file/909c32285af1230ce22da83e560639970014047aded5d4f482418a11edea1054/details", "MD5\ta6cb39e4e394173d69e177ff36a2f42e SHA-1\ta2d50aa5ed73c4d3403a694e8b0aca49977713d5 SHA-256\t909c32285af1230ce22da83e560639970014047aded5d4f482418a11edea1054 Vhash\thtm:821da04452ff547b5490c3d7ba1719ba SSDEEP\t384:EMcRngf/80ACidN/ExvGusVAavvdKAaZzPkXZrJKd87b+mO:EZ/+d87b+mO TLSH\tT1185208B5D1B0A2762967943BB6A5E59E38151B0ECD17F9C1B38983A07AE1FF003526E0 File type\tHTML Magic\tHTML document, ASCII text, with very long lines (9498u) TrID\tHyperText Markup Language (100%) File size\t12.97 KB (13285 bytes)", "afb6fed5738e5f984cdfea493a54bbf2cb626e5306687168f67bc91d9082909a %22 f984bb9a4e053d88ae8f0147692784aa6ea04700b1ba6c26d30df5d7a06c58e1 f-c3ccff28ce64e21a6e41e877a463566fdfb0b620c6e0772477f2a6bc21376171-1664295261", "91.195.240.46: ec9277a5d8a957aea79379a1d77c9bc57e9ca2d140a7678d6bd4c4e4ce1fc5c2 74c0ecb12b38d1f60dba1ebda935b3a3d7c729ea009cc5ec016850b018f14256 1607f85c85486b31778435a24fb3e028262fa31399d2dc2a8818fc3fac49589c 91.195.240.46de", "detection: 35a30f66f7c03b8d8bfe9541cab2a98a0d521b2d6793e49e29b2183304cd0411 c054adb63bc6b7b13c242b3560276f5a491f27d48d2e2a3889860e54ed6c2f0e 2f872735f9d25b10870896aad8a22023a101e460cede4c291854a502d7bdbc0e 5a09bcc5e187b6a1cf9de1bf17316a1dc97325c63be1e373c4ca5b1048fbf747", "www.googletagmanger.com 512626c46b8fa1817b396120e7d556288f0815e971a0f52df22ac5633d88b032 212.130.207.121 f-b8714cecc9eb9ad9597c9dfd24c43eba774c5ed6704306157fd62084c50df40d-1405383926", "settings contact-us 9cdf0d633399a20a6c5ed9d3533340b2a12e27947c42841eb523bc52dd24929e 23cf7d95fa2b38b48d78522c94f38c5f20f44513bfcce49a46edd543766ae343 T8RFDXPoVsGjhr6FFKaiD0vQJDRoz7h5U=&s3=Cdbb7725f6d6ff&subsrc=485310&s2=485310&sid2=485310&aff_sub2=485310&source=485310&s1=485310%22 f8f600dc0fd6f8e1cf8a93bb68667b832c8c739b72cc8fa51416e7efdb491e47", "ccnrj.filehosterus.com aHR0cHM6Ly93d3cuY2dtLnBsL25ld3Mvc3pwYWt1LXNrYXphbnktcmFwZXItdXNseXN6YWwtd3lyb2sv%22 62dee3a4e5973204dffec78a9b8ff387be3ea251a7fa5f1ffaa86baf52519a6d c318aa635086ce2131ce6a1550b43e5507ad4d87d502611b9b30f92f327ca8a4 30a34c1390ae8144fe864ba47c949cca7e9894093eae04151cec9b7a7a283f67 2698cc1ab215049e40bc9fd0d88b6006ee7afeb9157357cbf998c7b21ce6e836 f870d8b854b68a0cfba2689a089b9ab30cd3e7dce60ae89861373af78374b442 Save20130505210838.bin%22 86e84a18fa355c435ee9ea78b4e16e0884b8c357f38be05cae19c7", "so it seems all these domains being hosted on 91 ip listed", "gona add the remaining info on a different pulse" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 130, "hostname": 62, "domain": 34, "FileHash-SHA256": 29, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 258, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "646e7b0e40bd0b1e08a14010", "name": "virustotal sso login failed download of page data - but otx failing me too", "description": "Blacklotus \ud83d\ude2c\ud83d\ude33\n264df494bec6020f8a209df519785b2341eee6cdc45952ec74085613ec51365c", "modified": "2023-06-23T22:24:17.732000", "created": "2023-05-24T21:01:02.771000", "tags": [ "urls", "please", "javascript", "ezd87bmo tlsh", "html magic", "ascii text", "trid hypertext", "twitter failed Virustotal sso sign im", "91.195.240.46", "Blacklotus", "264df494bec6020f8a209df519785b2341eee6cdc45952ec74085613ec51365c" ], "references": [ "https://www.virustotal.com/gui/file/909c32285af1230ce22da83e560639970014047aded5d4f482418a11edea1054/details", "ccnrj.filehosterus.com aHR0cHM6Ly93d3cuY2dtLnBsL25ld3Mvc3pwYWt1LXNrYXphbnktcmFwZXItdXNseXN6YWwtd3lyb2sv%22 62dee3a4e5973204dffec78a9b8ff387be3ea251a7fa5f1ffaa86baf52519a6d c318aa635086ce2131ce6a1550b43e5507ad4d87d502611b9b30f92f327ca8a4 30a34c1390ae8144fe864ba47c949cca7e9894093eae04151cec9b7a7a283f67 2698cc1ab215049e40bc9fd0d88b6006ee7afeb9157357cbf998c7b21ce6e836 f870d8b854b68a0cfba2689a089b9ab30cd3e7dce60ae89861373af78374b442 Save20130505210838.bin%22 86e84a18fa355c435ee9ea78b4e16e0884b8c357f38be05cae19c7", "twitter.html (download of vt fail page - self named but was the twitter signin for VT option" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 130, "hostname": 62, "domain": 34, "FileHash-SHA256": 29, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 258, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62f81314ac5e791af1f2f00d", "name": "LOUDER WITH CHOWDERHEAD STEVEN CROWDER", "description": "Somebody call the Whambulance.", "modified": "2022-09-12T00:04:46.916000", "created": "2022-08-13T21:09:40.523000", "tags": [ "Steven Crowder" ], "references": [], "public": 1, "adversary": "LOSER", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "Fake news", "Shit heels" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 787, "domain": 387, "URL": 1732, "CVE": 1, "FileHash-SHA256": 212 }, "indicator_count": 3119, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "1358 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "629f443472012b4f6a4d0c14", "name": "TSULoader.exe - aka: 7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a", "description": "VT is erroring upon attempts to create a collection unfortunately", "modified": "2022-07-07T00:01:42.558000", "created": "2022-06-07T12:27:32.781000", "tags": [ "entity", "n. sh", "nubotnet", "80880.bodis", "7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a", "TSULoader. exe" ], "references": [ "g8cd78603c5774150b78fba8769a23eaf8d2ecb5188414e58a7fb78b58015872d.json", "https://www.virustotal.com/gui/file/7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a/behavior/VenusEye%20Sandbox", "162.210.196.172 94.229.72.123", "162.210.196.172 94.229.72.123", "https://www.virustotal.com/graph/g8cd78603c5774150b78fba8769a23eaf8d2ecb5188414e58a7fb78b58015872d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 566, "URL": 1688, "FileHash-SHA256": 509, "domain": 238, "FileHash-MD5": 287, "FileHash-SHA1": 269 }, "indicator_count": 3557, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "https://www.virustotal.com/gui/file/909c32285af1230ce22da83e560639970014047aded5d4f482418a11edea1054/details", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "\u2022 ww25.vpn.steamcommunity-site.info", "pornhub.org", "detection: 35a30f66f7c03b8d8bfe9541cab2a98a0d521b2d6793e49e29b2183304cd0411 c054adb63bc6b7b13c242b3560276f5a491f27d48d2e2a3889860e54ed6c2f0e 2f872735f9d25b10870896aad8a22023a101e460cede4c291854a502d7bdbc0e 5a09bcc5e187b6a1cf9de1bf17316a1dc97325c63be1e373c4ca5b1048fbf747", "162.210.196.172 94.229.72.123", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "ccnrj.filehosterus.com aHR0cHM6Ly93d3cuY2dtLnBsL25ld3Mvc3pwYWt1LXNrYXphbnktcmFwZXItdXNseXN6YWwtd3lyb2sv%22 62dee3a4e5973204dffec78a9b8ff387be3ea251a7fa5f1ffaa86baf52519a6d c318aa635086ce2131ce6a1550b43e5507ad4d87d502611b9b30f92f327ca8a4 30a34c1390ae8144fe864ba47c949cca7e9894093eae04151cec9b7a7a283f67 2698cc1ab215049e40bc9fd0d88b6006ee7afeb9157357cbf998c7b21ce6e836 f870d8b854b68a0cfba2689a089b9ab30cd3e7dce60ae89861373af78374b442 Save20130505210838.bin%22 86e84a18fa355c435ee9ea78b4e16e0884b8c357f38be05cae19c7", "Found in: https://Side3.com/", "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "MD5\ta6cb39e4e394173d69e177ff36a2f42e SHA-1\ta2d50aa5ed73c4d3403a694e8b0aca49977713d5 SHA-256\t909c32285af1230ce22da83e560639970014047aded5d4f482418a11edea1054 Vhash\thtm:821da04452ff547b5490c3d7ba1719ba SSDEEP\t384:EMcRngf/80ACidN/ExvGusVAavvdKAaZzPkXZrJKd87b+mO:EZ/+d87b+mO TLSH\tT1185208B5D1B0A2762967943BB6A5E59E38151B0ECD17F9C1B38983A07AE1FF003526E0 File type\tHTML Magic\tHTML document, ASCII text, with very long lines (9498u) TrID\tHyperText Markup Language (100%) File size\t12.97 KB (13285 bytes)", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "gona add the remaining info on a different pulse", "www.googletagmanger.com 512626c46b8fa1817b396120e7d556288f0815e971a0f52df22ac5633d88b032 212.130.207.121 f-b8714cecc9eb9ad9597c9dfd24c43eba774c5ed6704306157fd62084c50df40d-1405383926", "g8cd78603c5774150b78fba8769a23eaf8d2ecb5188414e58a7fb78b58015872d.json", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/", "http://mobilesmafia.com/applications/botnet.ex", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "https://www.virustotal.com/gui/file/7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a/behavior/VenusEye%20Sandbox", "https://www.virustotal.com/graph/g8cd78603c5774150b78fba8769a23eaf8d2ecb5188414e58a7fb78b58015872d", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "ww12.indianpornxxxtube.com", "settings contact-us 9cdf0d633399a20a6c5ed9d3533340b2a12e27947c42841eb523bc52dd24929e 23cf7d95fa2b38b48d78522c94f38c5f20f44513bfcce49a46edd543766ae343 T8RFDXPoVsGjhr6FFKaiD0vQJDRoz7h5U=&s3=Cdbb7725f6d6ff&subsrc=485310&s2=485310&sid2=485310&aff_sub2=485310&source=485310&s1=485310%22 f8f600dc0fd6f8e1cf8a93bb68667b832c8c739b72cc8fa51416e7efdb491e47", "twitter.html (download of vt fail page - self named but was the twitter signin for VT option", "nr-data.net [Apple Private Data Collection]", "91.195.240.46: ec9277a5d8a957aea79379a1d77c9bc57e9ca2d140a7678d6bd4c4e4ce1fc5c2 74c0ecb12b38d1f60dba1ebda935b3a3d7c729ea009cc5ec016850b018f14256 1607f85c85486b31778435a24fb3e028262fa31399d2dc2a8818fc3fac49589c 91.195.240.46de", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "afb6fed5738e5f984cdfea493a54bbf2cb626e5306687168f67bc91d9082909a %22 f984bb9a4e053d88ae8f0147692784aa6ea04700b1ba6c26d30df5d7a06c58e1 f-c3ccff28ce64e21a6e41e877a463566fdfb0b620c6e0772477f2a6bc21376171-1664295261", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "\u2022 199.59.243.226", "so it seems all these domains being hosted on 91 ip listed" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "LOSER" ], "malware_families": [ "Sheur4.ceoo", "Trojan:win32/remcosrat", "Win32/cryptor", "Unruy", "Win.trojan.mbrlock-9779766-0", "#lowfi:suspicioussectionname", "Win.trojan.agent-828507", "Generic_r.byw", "Reputation.1", "Ransomexx", "Quasar rat", "W32.sality-73", "Win32/tanatos.a", "Hacktool", "Win32:evo-gen\\ [trj]", "Win32:inject-bcl\\ [trj]" ], "industries": [ "Shit heels", "Fake news", "Technology", "Media", "Telecommunications", "Entertainment" ], "unique_indicators": 49194 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/restadesk.com", "whois": "http://whois.domaintools.com/restadesk.com", "domain": "restadesk.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69a9ce01247e20a6471da4c6", "name": "@scnrscnr Public", "description": "", "modified": "2026-03-06T05:11:18.452000", "created": "2026-03-05T18:40:01.671000", "tags": [ "Steven Crowder" ], "references": [], "public": 1, "adversary": "LOSER", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "Fake news", "Shit heels" ], "TLP": "white", "cloned_from": "62f81314ac5e791af1f2f00d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 789, "domain": 387, "URL": 1733, "CVE": 1, "FileHash-SHA256": 212 }, "indicator_count": 3122, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686d28ec9208b0424e0ccad2", "name": "Remote Keylogger | Foundry", "description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.", "modified": "2025-09-19T03:02:22.742000", "created": "2025-07-08T14:19:24.211000", "tags": [ "delete", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "intel", "write", "malware", "dynamicloader", "yara rule", "high", "vmware", "phishing", "remote", "keylogger", "remote keylogger", "type indicator", "related pulses", "no expiration", "url https", "showing", "reputation", "foundry", "apple", "downloader", "trojan" ], "references": [ "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 199.59.243.226", "\u2022 ww25.vpn.steamcommunity-site.info", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Reputation.1", "display_name": "Reputation.1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [ "Telecommunications", "Technology", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 244, "FileHash-SHA256": 4406, "URL": 9684, "domain": 3164, "hostname": 3370, "CVE": 1 }, "indicator_count": 21129, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708f57867c1032f7d21ff6", "name": "TSULoader.exe - aka: 7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a", "description": "", "modified": "2023-12-06T15:12:23.002000", "created": "2023-12-06T15:12:23.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 287, "FileHash-SHA1": 269, "FileHash-SHA256": 509, "domain": 238, "hostname": 566, "URL": 1688 }, "indicator_count": 3557, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "646e74e5062377cf3de86dab", "name": "Twitter sso sign in to vrus total fails with error of incorrect details yet i totaly bypssed any logn page to input my details", "description": "91.195.240.46 looks interesting, guess this all relates to how twitter amongst other big named sites are being abused globally on a grand scale", "modified": "2023-06-23T22:24:17.732000", "created": "2023-05-24T20:34:45.072000", "tags": [ "sha1", "sha256", "ssdeep", "ezd87bmo tlsh", "html magic", "html document", "ascii text", "trid hypertext", "markup language", "file size", "twitter failed Virustotal sso sign im", "91.195.240.46" ], "references": [ "https://www.virustotal.com/gui/file/909c32285af1230ce22da83e560639970014047aded5d4f482418a11edea1054/details", "MD5\ta6cb39e4e394173d69e177ff36a2f42e SHA-1\ta2d50aa5ed73c4d3403a694e8b0aca49977713d5 SHA-256\t909c32285af1230ce22da83e560639970014047aded5d4f482418a11edea1054 Vhash\thtm:821da04452ff547b5490c3d7ba1719ba SSDEEP\t384:EMcRngf/80ACidN/ExvGusVAavvdKAaZzPkXZrJKd87b+mO:EZ/+d87b+mO TLSH\tT1185208B5D1B0A2762967943BB6A5E59E38151B0ECD17F9C1B38983A07AE1FF003526E0 File type\tHTML Magic\tHTML document, ASCII text, with very long lines (9498u) TrID\tHyperText Markup Language (100%) File size\t12.97 KB (13285 bytes)", "afb6fed5738e5f984cdfea493a54bbf2cb626e5306687168f67bc91d9082909a %22 f984bb9a4e053d88ae8f0147692784aa6ea04700b1ba6c26d30df5d7a06c58e1 f-c3ccff28ce64e21a6e41e877a463566fdfb0b620c6e0772477f2a6bc21376171-1664295261", "91.195.240.46: ec9277a5d8a957aea79379a1d77c9bc57e9ca2d140a7678d6bd4c4e4ce1fc5c2 74c0ecb12b38d1f60dba1ebda935b3a3d7c729ea009cc5ec016850b018f14256 1607f85c85486b31778435a24fb3e028262fa31399d2dc2a8818fc3fac49589c 91.195.240.46de", "detection: 35a30f66f7c03b8d8bfe9541cab2a98a0d521b2d6793e49e29b2183304cd0411 c054adb63bc6b7b13c242b3560276f5a491f27d48d2e2a3889860e54ed6c2f0e 2f872735f9d25b10870896aad8a22023a101e460cede4c291854a502d7bdbc0e 5a09bcc5e187b6a1cf9de1bf17316a1dc97325c63be1e373c4ca5b1048fbf747", "www.googletagmanger.com 512626c46b8fa1817b396120e7d556288f0815e971a0f52df22ac5633d88b032 212.130.207.121 f-b8714cecc9eb9ad9597c9dfd24c43eba774c5ed6704306157fd62084c50df40d-1405383926", "settings contact-us 9cdf0d633399a20a6c5ed9d3533340b2a12e27947c42841eb523bc52dd24929e 23cf7d95fa2b38b48d78522c94f38c5f20f44513bfcce49a46edd543766ae343 T8RFDXPoVsGjhr6FFKaiD0vQJDRoz7h5U=&s3=Cdbb7725f6d6ff&subsrc=485310&s2=485310&sid2=485310&aff_sub2=485310&source=485310&s1=485310%22 f8f600dc0fd6f8e1cf8a93bb68667b832c8c739b72cc8fa51416e7efdb491e47", "ccnrj.filehosterus.com aHR0cHM6Ly93d3cuY2dtLnBsL25ld3Mvc3pwYWt1LXNrYXphbnktcmFwZXItdXNseXN6YWwtd3lyb2sv%22 62dee3a4e5973204dffec78a9b8ff387be3ea251a7fa5f1ffaa86baf52519a6d c318aa635086ce2131ce6a1550b43e5507ad4d87d502611b9b30f92f327ca8a4 30a34c1390ae8144fe864ba47c949cca7e9894093eae04151cec9b7a7a283f67 2698cc1ab215049e40bc9fd0d88b6006ee7afeb9157357cbf998c7b21ce6e836 f870d8b854b68a0cfba2689a089b9ab30cd3e7dce60ae89861373af78374b442 Save20130505210838.bin%22 86e84a18fa355c435ee9ea78b4e16e0884b8c357f38be05cae19c7", "so it seems all these domains being hosted on 91 ip listed", "gona add the remaining info on a different pulse" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 130, "hostname": 62, "domain": 34, "FileHash-SHA256": 29, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 258, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "646e7b0e40bd0b1e08a14010", "name": "virustotal sso login failed download of page data - but otx failing me too", "description": "Blacklotus \ud83d\ude2c\ud83d\ude33\n264df494bec6020f8a209df519785b2341eee6cdc45952ec74085613ec51365c", "modified": "2023-06-23T22:24:17.732000", "created": "2023-05-24T21:01:02.771000", "tags": [ "urls", "please", "javascript", "ezd87bmo tlsh", "html magic", "ascii text", "trid hypertext", "twitter failed Virustotal sso sign im", "91.195.240.46", "Blacklotus", "264df494bec6020f8a209df519785b2341eee6cdc45952ec74085613ec51365c" ], "references": [ "https://www.virustotal.com/gui/file/909c32285af1230ce22da83e560639970014047aded5d4f482418a11edea1054/details", "ccnrj.filehosterus.com aHR0cHM6Ly93d3cuY2dtLnBsL25ld3Mvc3pwYWt1LXNrYXphbnktcmFwZXItdXNseXN6YWwtd3lyb2sv%22 62dee3a4e5973204dffec78a9b8ff387be3ea251a7fa5f1ffaa86baf52519a6d c318aa635086ce2131ce6a1550b43e5507ad4d87d502611b9b30f92f327ca8a4 30a34c1390ae8144fe864ba47c949cca7e9894093eae04151cec9b7a7a283f67 2698cc1ab215049e40bc9fd0d88b6006ee7afeb9157357cbf998c7b21ce6e836 f870d8b854b68a0cfba2689a089b9ab30cd3e7dce60ae89861373af78374b442 Save20130505210838.bin%22 86e84a18fa355c435ee9ea78b4e16e0884b8c357f38be05cae19c7", "twitter.html (download of vt fail page - self named but was the twitter signin for VT option" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 130, "hostname": 62, "domain": 34, "FileHash-SHA256": 29, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 258, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62f81314ac5e791af1f2f00d", "name": "LOUDER WITH CHOWDERHEAD STEVEN CROWDER", "description": "Somebody call the Whambulance.", "modified": "2022-09-12T00:04:46.916000", "created": "2022-08-13T21:09:40.523000", "tags": [ "Steven Crowder" ], "references": [], "public": 1, "adversary": "LOSER", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "Fake news", "Shit heels" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 787, "domain": 387, "URL": 1732, "CVE": 1, "FileHash-SHA256": 212 }, "indicator_count": 3119, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "1358 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "629f443472012b4f6a4d0c14", "name": "TSULoader.exe - aka: 7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a", "description": "VT is erroring upon attempts to create a collection unfortunately", "modified": "2022-07-07T00:01:42.558000", "created": "2022-06-07T12:27:32.781000", "tags": [ "entity", "n. sh", "nubotnet", "80880.bodis", "7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a", "TSULoader. exe" ], "references": [ "g8cd78603c5774150b78fba8769a23eaf8d2ecb5188414e58a7fb78b58015872d.json", "https://www.virustotal.com/gui/file/7ef833e50992370e008a9efe630a87bfe8f19dbbcf025a3b5972aa1969b7958a/behavior/VenusEye%20Sandbox", "162.210.196.172 94.229.72.123", "162.210.196.172 94.229.72.123", "https://www.virustotal.com/graph/g8cd78603c5774150b78fba8769a23eaf8d2ecb5188414e58a7fb78b58015872d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 566, "URL": 1688, "FileHash-SHA256": 509, "domain": 238, "FileHash-MD5": 287, "FileHash-SHA1": 269 }, "indicator_count": 3557, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://restadesk.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://restadesk.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780309129.0451891 }