{
"type": "URL",
"indicator": "https://shop.crowdfarmx.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://shop.crowdfarmx.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3140248439,
"indicator": "https://shop.crowdfarmx.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 19,
"pulses": [
{
"id": "69dba8a0f375964d468b9ba0",
"name": "Credit: DorkingBeauty1- Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye",
"description": "",
"modified": "2026-05-12T00:09:20.348000",
"created": "2026-04-12T14:13:52.560000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"ansi",
"data",
"decrypted ssl",
"windows nt",
"threat level",
"ecacc",
"gmtetag",
"date",
"sha256",
"pcap",
"path",
"accept",
"back",
"close",
"click",
"solid",
"class",
"flame",
"splash",
"verify",
"direct",
"suspicious",
"malicious",
"sybuex",
"core",
"agent",
"code",
"model",
"next",
"first",
"phase",
"impact",
"trim",
"hybrid",
"hosts",
"format",
"general",
"strings",
"dupont",
"meta",
"body",
"local",
"trident",
"gynx",
"mozilla"
],
"references": [
"https://hybrid-analysis.com/sample/62b6cea0e6e2b40533d835de1968ce767764a36f1f9de2b603ddc2d72aa5e246?environmentId=100",
"https://hybrid-analysis.com/sample/1e018f44cfe693f0cd2a5e6491a21eb65bdd0f02fb694eb131eaf5d9118f39ee?environmentId=100",
"https://hybrid-analysis.com/sample/e9425c4658ad484851e6b207e7c1ebb7df9da7f793bc35216c46285ef224aa83?environmentId=100",
"ok12110.ok1.chatbot.lab.works-hi.co.jp",
"ns-19.awsdns-02.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "622772a53274b509660d46af",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 902,
"domain": 338,
"URL": 1721,
"FileHash-SHA256": 558,
"email": 4,
"CVE": 1,
"FileHash-MD5": 159,
"FileHash-SHA1": 128
},
"indicator_count": 3811,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 70,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6963596c4cd594b77b4675ec",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ",
"description": "",
"modified": "2026-02-10T06:05:39.764000",
"created": "2026-01-11T08:03:56.534000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": "693cdc5b8ebc10664439c2fb",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693cdc5b8ebc10664439c2fb",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado",
"description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.",
"modified": "2026-02-10T06:05:39.764000",
"created": "2025-12-13T03:24:11.414000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "141 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "147 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690a2c38de1708af54217faa",
"name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
"description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
"modified": "2025-12-04T15:01:02.531000",
"created": "2025-11-04T16:39:20.035000",
"tags": [
"present aug",
"moved",
"encrypt",
"present jul",
"passive dns",
"ipv4 add",
"reverse dns",
"united states",
"present may",
"ip address",
"gmt content",
"ipv4",
"all ipv4",
"america",
"united",
"present oct",
"name servers",
"redacted for",
"emails",
"for privacy",
"unknown ns",
"unknown aaaa",
"dynamicloader",
"focus region",
"unicode text",
"utf16",
"ms windows",
"bokeh onlycanon",
"zeiss jena",
"mcsonnar",
"high",
"win64",
"stream",
"write",
"smartassembly",
"trailer",
"next",
"search",
"medium",
"as15169",
"write c",
"reads",
"team",
"malware",
"local",
"yara detections",
"delphi",
"strings",
"dcom",
"form",
"trojandropper",
"mtb nov",
"backdoor",
"otx telemetry",
"trojan",
"type",
"data upload",
"extraction",
"ol rop",
"hash avast",
"avg clamav",
"msdefender nov",
"win32upatre nov",
"win32berbew nov",
"dynamic",
"pe section",
"error",
"close",
"status",
"urls",
"expiration date",
"hostname",
"url analysis",
"yara rule",
"show",
"binary file",
"wine emulator",
"mtb oct",
"files",
"denmark asn",
"as32934",
"candyopen",
"possible",
"smoke loader",
"trojanspy",
"filehash",
"pulses otx",
"related tags",
"file type",
"no analysis",
"available",
"api key",
"screenshots",
"present nov",
"aaaa",
"mtb may",
"mexico",
"hostname add",
"registrar",
"domain add",
"location united",
"email add",
"none related",
"domains",
"email domain",
"service",
"domain",
"america flag",
"body",
"title",
"aws dns",
"next associated",
"risepro",
"guard",
"v full",
"reports v",
"t1059 shared",
"modules",
"t1129 system",
"t1569",
"help v",
"t1179 boot",
"logon autost",
"encoding",
"packing f0001",
"hidden files",
"e1203 windows",
"file attributes",
"registry value",
"catalog tree",
"analysis ob0001",
"evasion b0003",
"virtual machine",
"ip traffic",
"memory pattern",
"pattern urls",
"tls sni",
"get https",
"post https",
"named pipe",
"delete c",
"radar",
"defender",
"format",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"country",
"contacted hosts",
"process details",
"flag",
"globalc",
"intel",
"win32",
"worm",
"path",
"explorer",
"script",
"href",
"external",
"html content",
"tulach",
"hallrender",
"tam legal",
"brian sabey",
"christopher ahmann",
"apple",
"msie",
"chrome",
"ascio",
"creation date",
"date",
"germany unknown",
"germany asn",
"files ip",
"address",
"asn as24940",
"less",
"script urls",
"a domains",
"prox",
"dennis schrder",
"meta",
"apache",
"99u25f.exe",
"entries",
"as24940 hetzner",
"dns resolutions",
"status code",
"body length",
"kb body",
"software/ hardware",
"external-resources",
"password-input",
"overview",
"colorado"
],
"references": [
"https://shift.gearboxsoftware.com/link",
"https://tulach.cc/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://www.turbo.net/run/videolan/vlc",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
],
"public": 1,
"adversary": "Colorado Quasi Government | Workerk Compensation",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9878032-0",
"display_name": "Win.Trojan.Generic-9878032-0",
"target": null
},
{
"id": "Win.Trojan.Starter-171",
"display_name": "Win.Trojan.Starter-171",
"target": null
},
{
"id": "GravityRAT",
"display_name": "GravityRAT",
"target": null
},
{
"id": "Backdoor:Win32/Berbew.AA!MTB",
"display_name": "Backdoor:Win32/Berbew.AA!MTB",
"target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
},
{
"id": "Trojan:MSIL/AgentTesla.DW!MTB",
"display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
"target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Nemucod",
"display_name": "Nemucod",
"target": null
},
{
"id": "Berbew",
"display_name": "Berbew",
"target": null
},
{
"id": "PWS:Win32/Zbot.MS!MTB",
"display_name": "PWS:Win32/Zbot.MS!MTB",
"target": "/malware/PWS:Win32/Zbot.MS!MTB"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Exploit.Rozena-10038302-0",
"display_name": "Win.Exploit.Rozena-10038302-0",
"target": null
},
{
"id": "Zombie",
"display_name": "Zombie",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Dorv",
"display_name": "Dorv",
"target": null
},
{
"id": "Win.Malware.Pits-10035540-0",
"display_name": "Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "Exploit:Linux/CVE-2017-17215",
"display_name": "Exploit:Linux/CVE-2017-17215",
"target": "/malware/Exploit:Linux/CVE-2017-17215"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2022-26134",
"display_name": "CVE-2022-26134",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6051,
"hostname": 2627,
"FileHash-MD5": 401,
"FileHash-SHA1": 257,
"email": 11,
"domain": 1838,
"FileHash-SHA256": 1742,
"CVE": 4,
"SSLCertFingerprint": 3
},
"indicator_count": 12934,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "181 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6879093e8658df9f35683846",
"name": "Worm:Win32/Benjamin continues to impact network",
"description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.",
"modified": "2025-08-16T14:00:26.166000",
"created": "2025-07-17T14:31:26.824000",
"tags": [
"include review",
"data upload",
"extraction",
"read c",
"search",
"medium",
"show",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"entries",
"dock",
"write",
"execution",
"capture",
"next",
"copy",
"date",
"aaaa",
"present may",
"present nov",
"passive dns",
"ip address",
"domain",
"status",
"next associated",
"delete",
"iocs",
"failed",
"sc data",
"type",
"extr data",
"included",
"review iocs",
"memcommit",
"user execution",
"module load",
"t1129",
"icmp traffic",
"high",
"collection",
"cmd c",
"t1055",
"enter",
"extract",
"enter sc",
"drop or",
"browse t",
"oprop",
"extraction data",
"enter source",
"url or",
"texorag",
"browse",
"urls",
"dnssec",
"hostname add",
"pulse pulses",
"files",
"files ip",
"domainadmin",
"showing",
"ttl value",
"thumbprint",
"onlv",
"find",
"extri data",
"dran anu",
"extr",
"manually add",
"review exclude",
"sugges",
"find s",
"typ hos",
"se data",
"include data",
"review locs",
"exclude",
"suggested es",
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"worm",
"win32",
"benjamin",
"june",
"delphi",
"malware",
"nids",
"icmp delphi",
"yara detections",
"malware traffic",
"checkin",
"code",
"name servers",
"servers",
"pulses",
"expiration date",
"united",
"body",
"cookie",
"related tags",
"file type",
"pe packer",
"pm size",
"sha1 sha256",
"imphash pehash",
"virustotal api",
"screenshots",
"comments"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 536,
"FileHash-SHA1": 465,
"FileHash-SHA256": 1836,
"domain": 766,
"hostname": 960,
"URL": 2879,
"CVE": 1,
"email": 4
},
"indicator_count": 7447,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "291 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570908823f97b5559b71806",
"name": ";http://tiktok.hop3.pw/EaL8Ufp - Hybrid A report upliad",
"description": "",
"modified": "2023-12-06T15:17:28.460000",
"created": "2023-12-06T15:17:28.460000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 239,
"domain": 403,
"email": 10,
"URL": 1032,
"hostname": 561,
"FileHash-MD5": 84,
"FileHash-SHA1": 49
},
"indicator_count": 2378,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "910 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708d3fec7eeee20ce02403",
"name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage",
"description": "",
"modified": "2023-12-06T15:03:27.390000",
"created": "2023-12-06T15:03:27.390000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 1374,
"hostname": 792,
"domain": 517,
"URL": 1529,
"FileHash-MD5": 81,
"FileHash-SHA1": 71
},
"indicator_count": 4366,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "910 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708172b5b5810d62645bfe",
"name": "http://adwcleaner.malwarebytes.com/ and cloudfront hosts",
"description": "",
"modified": "2023-12-06T14:13:06.127000",
"created": "2023-12-06T14:13:06.127000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 516,
"FileHash-SHA256": 340,
"URL": 713,
"email": 3,
"domain": 356,
"FileHash-MD5": 119,
"FileHash-SHA1": 59,
"SSLCertFingerprint": 4
},
"indicator_count": 2110,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "910 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080d7cc6525322cdb9052",
"name": "Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye",
"description": "",
"modified": "2023-12-06T14:10:31.519000",
"created": "2023-12-06T14:10:31.519000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 537,
"hostname": 888,
"URL": 1698,
"email": 4,
"domain": 337,
"CVE": 1,
"FileHash-MD5": 159,
"FileHash-SHA1": 127
},
"indicator_count": 3751,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "910 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62e80d56fba248bac0744780",
"name": "\ud83e\udd14\ud83d\udea8 Could this be the source of all Evil? \ud83d\udea8\ud83e\udd14 Nubotnet - Team:KU Leuven/test2 - 2021.igem.org",
"description": "",
"modified": "2022-08-31T00:01:05.509000",
"created": "2022-08-01T17:28:54.991000",
"tags": [
"apt",
"runtime data",
"decrypted ssl",
"pcap",
"windows nt",
"tops",
"cookie",
"typeof t",
"element",
"error",
"matrix",
"typeerror",
"bmfloor",
"frameelement",
"null",
"skew",
"parade"
],
"references": [
"https://2021.igem.org/Team:KU_Leuven/test2",
"https://hybrid-analysis.com/sample/e126ff94aac3340dc05a27f062c4267cbfeaa998248bef0e72f000bba711aa76/62e6fb475edc950b894aa7b0"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1696,
"domain": 586,
"hostname": 613,
"FileHash-SHA256": 533,
"FileHash-MD5": 34,
"FileHash-SHA1": 33,
"email": 1
},
"indicator_count": 3496,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 394,
"modified_text": "1372 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62d9e3e8f8a916986b59d0fb",
"name": ";http://tiktok.hop3.pw/EaL8Ufp - Hybrid A report upliad",
"description": "",
"modified": "2022-08-21T00:01:29.251000",
"created": "2022-07-21T23:40:24.902000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"ansi",
"data",
"decrypted ssl",
"threat level",
"date",
"windows nt",
"pcap",
"sha256",
"pcap processing",
"report domain",
"accept",
"core",
"roboto",
"gondi",
"twitter",
"obfa",
"hybrid",
"close",
"click",
"hosts",
"malicious",
"general",
"local",
"lana",
"mozi",
"trident",
"strings",
"suspicious",
"hop3.pw"
],
"references": [
"https://www.hybrid-analysis.com/sample/facdbc6b7b2cb2a4ba4d45dc831c29834813a8690a81d206e3472b2aacd926bd/62d6a6da34c2b45239660f93"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 561,
"domain": 403,
"FileHash-SHA256": 239,
"URL": 1032,
"email": 10,
"FileHash-MD5": 84,
"FileHash-SHA1": 49
},
"indicator_count": 2378,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 394,
"modified_text": "1382 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62b05f8c261c86a70d541ee2",
"name": "http://irs.gov/efile",
"description": "",
"modified": "2022-07-20T00:04:04.226000",
"created": "2022-06-20T11:52:44.182000",
"tags": [
"malware",
"trojan",
"apt",
"windows nt",
"patch",
"june",
"local",
"team",
"february",
"b3sitos"
],
"references": [
"Hybrid-A gives clean bill of health with all this nastyness ??????",
"Found malicious artifacts related to \"108.156.107.37\": ... URL: https://daycoval.facildepagar.com.br/ (AV positives: 8/95 scanned on 06/19/2022 01:54:19) URL: https://search.thejobspotter.com/ (AV positives: 1/95 scanned on 06/17/2022 18:02:39) URL: http://www.onlyonesearch.com/?q=caixa%20geral%20de%20dep%C3%B3sitos%20caixadirecta (AV positives: 1/95 scanned on 06/17/2022 04:21:41) URL: https://dp.la/search (AV positives: 1/95 scanned on 06/14/2022 18:12:11) URL: http://www.ute.com/templates/email_signatur",
"https://hybrid-analysis.com/sample/f5c28aaa1eed64eb2abcc9bf3208dbd597b01d0eff7cb0abbcecaf70b77eec3c/62afaa107abd8e4632069a53"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 333,
"URL": 509,
"domain": 285,
"FileHash-SHA256": 196,
"CVE": 1,
"FileHash-MD5": 56,
"FileHash-SHA1": 51,
"email": 2
},
"indicator_count": 1433,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1414 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "629b50216b11e3d786f4a5e9",
"name": "- GNS3",
"description": "",
"modified": "2022-07-04T00:03:29.389000",
"created": "2022-06-04T12:29:21.310000",
"tags": [
"decrypted ssl",
"windows nt",
"local",
"factory",
"february"
],
"references": [
"http://reviews.gns3.com/",
"https://hybrid-analysis.com/sample/ec9301fa384e42acecc146ee968746c58a5f2d5d89bc458a34cccbff67a7fec9/629317f648d8dd3f412c289a"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 436,
"URL": 873,
"domain": 313,
"FileHash-SHA256": 108,
"FileHash-MD5": 54,
"CVE": 1,
"FileHash-SHA1": 50,
"email": 1
},
"indicator_count": 1836,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1430 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62727ce7b14807e910b72bb7",
"name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage",
"description": "and that 72 ip at edgcast thats listed as false positive....\n\ud83e\udee2\ud83e\udd2f\ud83e\udd2c everything communucating with it is MALICIOUS and font and lang file corruption means the www is causing it!!!",
"modified": "2022-06-03T00:01:00.120000",
"created": "2022-05-04T13:17:27.444000",
"tags": [],
"references": [
"https://hybrid-analysis.com/sample/fcf01007f38956f164a86deda652684fe6c76c41db32f5ac38a43712615154dc/6271a3fc12c9eb6e7053caf1"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1529,
"hostname": 792,
"domain": 517,
"FileHash-SHA256": 1374,
"CVE": 2,
"FileHash-MD5": 81,
"FileHash-SHA1": 71
},
"indicator_count": 4366,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 398,
"modified_text": "1461 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6264b524008ccee1d221f967",
"name": "statcounter nefarious ad and analytics in platform webapp delivered ads",
"description": "",
"modified": "2022-05-24T00:01:27.321000",
"created": "2022-04-24T02:25:40.062000",
"tags": [
"associated urls",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"section",
"ansi",
"threat level",
"header",
"messages",
"surveymonkey",
"chrome",
"firefox",
"safari",
"microsoft",
"date",
"span",
"path",
"body",
"accept",
"explorer",
"suspicious",
"main",
"hybrid",
"close",
"click",
"hosts",
"april",
"malicious",
"general",
"local",
"factory",
"strings",
"team",
"february",
"hybrid analysis",
"input",
"report",
"falcon sandbox",
"please note",
"data protection",
"policy",
"https",
"memoryfile scan",
"windir",
"openurl c",
"urlhttps",
"pmuid",
"no expiration",
"filehashsha256",
"url http",
"expiration"
],
"references": [
"https://onetag-sys.com/usync/?pubId=6b859b96c564fbe",
"https://sync.richaudience.com/74889303289e27f327ad0c6de7be7264/?p=1BTOoaD22a&consentString=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&ccpa_",
"https://ssbsync.smartadserver.com/api/sync?callerId=43&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA",
"https://ads.pubmatic.com/AdServer/js/user_sync.html?p=159110&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&us_privacy=1---",
"https://hybrid-analysis.com/sample/de66bd83860e9dc66969b28f3b93b36c07c5f9d9568f13b07f0e1928490d6945/62649e273fcef808fa4c2bbb",
"https://hybrid-analysis.com/sample/9116e707b9da6b1047df9412e29b816726ba3aa6ebc91d77f7f47741ccb7b7bd/6264a22fa3836270e73495b3",
"https://hybrid-analysis.com/sample/b3d7008253008166b2abeb2fcc642d9c5e354435f7cb83a681b3cba82840002e/62626a096a89191d343c4546",
"usync.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 693,
"hostname": 325,
"domain": 205,
"FileHash-SHA256": 148,
"FileHash-MD5": 31,
"CVE": 1,
"FileHash-SHA1": 22,
"email": 3
},
"indicator_count": 1428,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 395,
"modified_text": "1471 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "622c42836d7c741d4156fc83",
"name": "http://adwcleaner.malwarebytes.com/ and cloudfront hosts",
"description": "T1553",
"modified": "2022-04-11T00:04:29.819000",
"created": "2022-03-12T06:49:39.036000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"memoryfile scan",
"ansi",
"unicode",
"tcomparer",
"tlist",
"tarray",
"path",
"icomparer",
"tcomparison",
"tenumerator",
"suspicious",
"date",
"delphi",
"error",
"hybrid",
"close",
"click",
"hosts",
"stack",
"win32",
"malicious",
"general",
"pecompact",
"strings",
"code",
"data",
"decrypted ssl",
"threat level",
"windows nt",
"pcap",
"pcap processing",
"sha256",
"report domain",
"accept",
"core",
"false",
"local",
"mozilla"
],
"references": [
"https://hybrid-analysis.com/sample/ac15b6c5ede04e496b08523bf7deac3694dc3cd34474a9d4e57e23255f56b647/6222a011962dca32330a5c2d",
"https://hybrid-analysis.com/sample/246eb0388eff22439e0b48cd3d5ffa8c434559c52638ed166d8b96b2b8fea7ac/61f4919bf315615dd65ca107"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 516,
"URL": 713,
"FileHash-SHA256": 340,
"domain": 356,
"FileHash-MD5": 119,
"FileHash-SHA1": 59,
"email": 3,
"SSLCertFingerprint": 4
},
"indicator_count": 2110,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 395,
"modified_text": "1514 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "622772a53274b509660d46af",
"name": "Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye",
"description": "so much familiarity here from the last 5 Years, this is by far compromise on supply chain of the century all the big boys are featured no surprise to me. The question is just how many are compromised from home routers and personal devices",
"modified": "2022-04-07T00:04:02.553000",
"created": "2022-03-08T15:13:41.976000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"ansi",
"data",
"decrypted ssl",
"windows nt",
"threat level",
"ecacc",
"gmtetag",
"date",
"sha256",
"pcap",
"path",
"accept",
"back",
"close",
"click",
"solid",
"class",
"flame",
"splash",
"verify",
"direct",
"suspicious",
"malicious",
"sybuex",
"core",
"agent",
"code",
"model",
"next",
"first",
"phase",
"impact",
"trim",
"hybrid",
"hosts",
"format",
"general",
"strings",
"dupont",
"meta",
"body",
"local",
"trident",
"gynx",
"mozilla"
],
"references": [
"https://hybrid-analysis.com/sample/62b6cea0e6e2b40533d835de1968ce767764a36f1f9de2b603ddc2d72aa5e246?environmentId=100",
"https://hybrid-analysis.com/sample/1e018f44cfe693f0cd2a5e6491a21eb65bdd0f02fb694eb131eaf5d9118f39ee?environmentId=100",
"https://hybrid-analysis.com/sample/e9425c4658ad484851e6b207e7c1ebb7df9da7f793bc35216c46285ef224aa83?environmentId=100",
"ok12110.ok1.chatbot.lab.works-hi.co.jp",
"ns-19.awsdns-02.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 888,
"domain": 337,
"URL": 1698,
"FileHash-SHA256": 537,
"email": 4,
"CVE": 1,
"FileHash-MD5": 159,
"FileHash-SHA1": 127
},
"indicator_count": 3751,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 395,
"modified_text": "1518 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"howtoworkacrickoutofyourneck2.pages.dev",
"Target agreed and complied with all lie detector measures.",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"usync.html",
"https://tulach.cc/",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://www.turbo.net/run/videolan/vlc",
"https://hybrid-analysis.com/sample/62b6cea0e6e2b40533d835de1968ce767764a36f1f9de2b603ddc2d72aa5e246?environmentId=100",
"https://meumundogay-com.sexogratis.page/locker",
"https://hybrid-analysis.com/sample/de66bd83860e9dc66969b28f3b93b36c07c5f9d9568f13b07f0e1928490d6945/62649e273fcef808fa4c2bbb",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Found malicious artifacts related to \"108.156.107.37\": ... URL: https://daycoval.facildepagar.com.br/ (AV positives: 8/95 scanned on 06/19/2022 01:54:19) URL: https://search.thejobspotter.com/ (AV positives: 1/95 scanned on 06/17/2022 18:02:39) URL: http://www.onlyonesearch.com/?q=caixa%20geral%20de%20dep%C3%B3sitos%20caixadirecta (AV positives: 1/95 scanned on 06/17/2022 04:21:41) URL: https://dp.la/search (AV positives: 1/95 scanned on 06/14/2022 18:12:11) URL: http://www.ute.com/templates/email_signatur",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"https://onetag-sys.com/usync/?pubId=6b859b96c564fbe",
"https://shift.gearboxsoftware.com/link",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://hybrid-analysis.com/sample/b3d7008253008166b2abeb2fcc642d9c5e354435f7cb83a681b3cba82840002e/62626a096a89191d343c4546",
"https://2021.igem.org/Team:KU_Leuven/test2",
"Can the DoD no questions asked target a SA victim",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"iamrobert.com Y.A.S.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"Attacks are being carried out by The State of Colorado",
"ns-19.awsdns-02.com",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"http://reviews.gns3.com/",
"There is fear in silence or speaking out",
"https://hybrid-analysis.com/sample/1e018f44cfe693f0cd2a5e6491a21eb65bdd0f02fb694eb131eaf5d9118f39ee?environmentId=100",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://es.pornhat.com/models/the-sex-creator/",
"firebase-auth-eich0v.pages.dev",
"ok12110.ok1.chatbot.lab.works-hi.co.jp",
"https://khmerpornvideo.signup0.y.id/",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"https://hybrid-analysis.com/sample/ec9301fa384e42acecc146ee968746c58a5f2d5d89bc458a34cccbff67a7fec9/629317f648d8dd3f412c289a",
"https://hybrid-analysis.com/sample/fcf01007f38956f164a86deda652684fe6c76c41db32f5ac38a43712615154dc/6271a3fc12c9eb6e7053caf1",
"https://hybrid-analysis.com/sample/ac15b6c5ede04e496b08523bf7deac3694dc3cd34474a9d4e57e23255f56b647/6222a011962dca32330a5c2d",
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://hybrid-analysis.com/sample/e126ff94aac3340dc05a27f062c4267cbfeaa998248bef0e72f000bba711aa76/62e6fb475edc950b894aa7b0",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"https://hybrid-analysis.com/sample/246eb0388eff22439e0b48cd3d5ffa8c434559c52638ed166d8b96b2b8fea7ac/61f4919bf315615dd65ca107",
"https://ads.pubmatic.com/AdServer/js/user_sync.html?p=159110&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&us_privacy=1---",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://hybrid-analysis.com/sample/f5c28aaa1eed64eb2abcc9bf3208dbd597b01d0eff7cb0abbcecaf70b77eec3c/62afaa107abd8e4632069a53",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"https://hybrid-analysis.com/sample/e9425c4658ad484851e6b207e7c1ebb7df9da7f793bc35216c46285ef224aa83?environmentId=100",
"Hybrid-A gives clean bill of health with all this nastyness ??????",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"I am very upset. Whoever is doing this is sick.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"If someone is believed to be a threat they have right to due process.",
"https://clear.ml/infrastructure-control-plane",
"https://sync.richaudience.com/74889303289e27f327ad0c6de7be7264/?p=1BTOoaD22a&consentString=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&ccpa_",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://ssbsync.smartadserver.com/api/sync?callerId=43&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://hybrid-analysis.com/sample/9116e707b9da6b1047df9412e29b816726ba3aa6ebc91d77f7f47741ccb7b7bd/6264a22fa3836270e73495b3",
"https://www.hybrid-analysis.com/sample/facdbc6b7b2cb2a4ba4d45dc831c29834813a8690a81d206e3472b2aacd926bd/62d6a6da34c2b45239660f93"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Colorado Quasi Government | Workerk Compensation"
],
"malware_families": [
"Cve-2023-4966",
"Apnic",
"Backdoor:win32/berbew.aa!mtb",
"Worm",
"Pws:win32/zbot.ms!mtb",
"Trojandropper:win32/systex.a",
"Win.exploit.rozena-10038302-0",
"Cve-2022-26134",
"Trojanspy",
"Win32:botx-gen\\ [trj]",
"Trojan:win32/qbot.r!mtb",
"Win.trojan.generic-9878032-0",
"Virtool:win32/vbinject.gen!mh",
"Unix.trojan.tsunami-6981155-0",
"Cycbot",
"#lowfi:hstr:criakl.b1",
"Backdoor:linux/demonbot.aa!mtb",
"Zombie",
"Win.ransomware.msilzilla-10014498-0",
"Mirai (elf)",
"Berbew",
"Alf:nid:susp_nsis_stub.a",
"Ddos:linux/gafgyt.ya!mtb",
"Cve-2017-11882",
"Alf:exploit:o97m/cve-2017-8977",
"Win.malware.mikey-9949492-0",
"Win.trojan.gravityrat-6511862-0",
"Ransom:win32/cve-2017-0147",
"Win.trojan.barys-10005825-0",
"Alf:heraklezeval:trojan:msil/gravityrat!rfn",
"Win.trojan.starter-171",
"Trojan:win32/zombie",
"Win.trojan.tepfer-61",
"Trojan:msil/agenttesla.dw!mtb",
"Muldrop",
"Malware",
"Unix.trojan.gafgyt-6981154-0",
"Trojandropper:win32/vb.il",
"Trojandownloader:win32/cutwail",
"Win.packed.bandook-9882274-1",
"Ransom:win32/crowti.a",
"Gravityrat",
"Dorv",
"Nids",
"Nemucod",
"Backdoor:win32/arwobot.b",
"Win.malware.pits-10035540-0",
"Upatre",
"Exploit:linux/cve-2017-17215",
"Worm:win32/mofksys.rnd!mtb",
"Win.downloader.small-4507",
"Trojandownloader:win32/cutwailransom:win32/crowti.a"
],
"industries": [
"Insurance",
"Construction"
],
"unique_indicators": 118266
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/crowdfarmx.com",
"whois": "http://whois.domaintools.com/crowdfarmx.com",
"domain": "crowdfarmx.com",
"hostname": "shop.crowdfarmx.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 19,
"pulses": [
{
"id": "69dba8a0f375964d468b9ba0",
"name": "Credit: DorkingBeauty1- Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye",
"description": "",
"modified": "2026-05-12T00:09:20.348000",
"created": "2026-04-12T14:13:52.560000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"ansi",
"data",
"decrypted ssl",
"windows nt",
"threat level",
"ecacc",
"gmtetag",
"date",
"sha256",
"pcap",
"path",
"accept",
"back",
"close",
"click",
"solid",
"class",
"flame",
"splash",
"verify",
"direct",
"suspicious",
"malicious",
"sybuex",
"core",
"agent",
"code",
"model",
"next",
"first",
"phase",
"impact",
"trim",
"hybrid",
"hosts",
"format",
"general",
"strings",
"dupont",
"meta",
"body",
"local",
"trident",
"gynx",
"mozilla"
],
"references": [
"https://hybrid-analysis.com/sample/62b6cea0e6e2b40533d835de1968ce767764a36f1f9de2b603ddc2d72aa5e246?environmentId=100",
"https://hybrid-analysis.com/sample/1e018f44cfe693f0cd2a5e6491a21eb65bdd0f02fb694eb131eaf5d9118f39ee?environmentId=100",
"https://hybrid-analysis.com/sample/e9425c4658ad484851e6b207e7c1ebb7df9da7f793bc35216c46285ef224aa83?environmentId=100",
"ok12110.ok1.chatbot.lab.works-hi.co.jp",
"ns-19.awsdns-02.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "622772a53274b509660d46af",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 902,
"domain": 338,
"URL": 1721,
"FileHash-SHA256": 558,
"email": 4,
"CVE": 1,
"FileHash-MD5": 159,
"FileHash-SHA1": 128
},
"indicator_count": 3811,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 70,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6963596c4cd594b77b4675ec",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ",
"description": "",
"modified": "2026-02-10T06:05:39.764000",
"created": "2026-01-11T08:03:56.534000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": "693cdc5b8ebc10664439c2fb",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693cdc5b8ebc10664439c2fb",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado",
"description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.",
"modified": "2026-02-10T06:05:39.764000",
"created": "2025-12-13T03:24:11.414000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "141 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "147 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690a2c38de1708af54217faa",
"name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
"description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
"modified": "2025-12-04T15:01:02.531000",
"created": "2025-11-04T16:39:20.035000",
"tags": [
"present aug",
"moved",
"encrypt",
"present jul",
"passive dns",
"ipv4 add",
"reverse dns",
"united states",
"present may",
"ip address",
"gmt content",
"ipv4",
"all ipv4",
"america",
"united",
"present oct",
"name servers",
"redacted for",
"emails",
"for privacy",
"unknown ns",
"unknown aaaa",
"dynamicloader",
"focus region",
"unicode text",
"utf16",
"ms windows",
"bokeh onlycanon",
"zeiss jena",
"mcsonnar",
"high",
"win64",
"stream",
"write",
"smartassembly",
"trailer",
"next",
"search",
"medium",
"as15169",
"write c",
"reads",
"team",
"malware",
"local",
"yara detections",
"delphi",
"strings",
"dcom",
"form",
"trojandropper",
"mtb nov",
"backdoor",
"otx telemetry",
"trojan",
"type",
"data upload",
"extraction",
"ol rop",
"hash avast",
"avg clamav",
"msdefender nov",
"win32upatre nov",
"win32berbew nov",
"dynamic",
"pe section",
"error",
"close",
"status",
"urls",
"expiration date",
"hostname",
"url analysis",
"yara rule",
"show",
"binary file",
"wine emulator",
"mtb oct",
"files",
"denmark asn",
"as32934",
"candyopen",
"possible",
"smoke loader",
"trojanspy",
"filehash",
"pulses otx",
"related tags",
"file type",
"no analysis",
"available",
"api key",
"screenshots",
"present nov",
"aaaa",
"mtb may",
"mexico",
"hostname add",
"registrar",
"domain add",
"location united",
"email add",
"none related",
"domains",
"email domain",
"service",
"domain",
"america flag",
"body",
"title",
"aws dns",
"next associated",
"risepro",
"guard",
"v full",
"reports v",
"t1059 shared",
"modules",
"t1129 system",
"t1569",
"help v",
"t1179 boot",
"logon autost",
"encoding",
"packing f0001",
"hidden files",
"e1203 windows",
"file attributes",
"registry value",
"catalog tree",
"analysis ob0001",
"evasion b0003",
"virtual machine",
"ip traffic",
"memory pattern",
"pattern urls",
"tls sni",
"get https",
"post https",
"named pipe",
"delete c",
"radar",
"defender",
"format",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"country",
"contacted hosts",
"process details",
"flag",
"globalc",
"intel",
"win32",
"worm",
"path",
"explorer",
"script",
"href",
"external",
"html content",
"tulach",
"hallrender",
"tam legal",
"brian sabey",
"christopher ahmann",
"apple",
"msie",
"chrome",
"ascio",
"creation date",
"date",
"germany unknown",
"germany asn",
"files ip",
"address",
"asn as24940",
"less",
"script urls",
"a domains",
"prox",
"dennis schrder",
"meta",
"apache",
"99u25f.exe",
"entries",
"as24940 hetzner",
"dns resolutions",
"status code",
"body length",
"kb body",
"software/ hardware",
"external-resources",
"password-input",
"overview",
"colorado"
],
"references": [
"https://shift.gearboxsoftware.com/link",
"https://tulach.cc/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://www.turbo.net/run/videolan/vlc",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
],
"public": 1,
"adversary": "Colorado Quasi Government | Workerk Compensation",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9878032-0",
"display_name": "Win.Trojan.Generic-9878032-0",
"target": null
},
{
"id": "Win.Trojan.Starter-171",
"display_name": "Win.Trojan.Starter-171",
"target": null
},
{
"id": "GravityRAT",
"display_name": "GravityRAT",
"target": null
},
{
"id": "Backdoor:Win32/Berbew.AA!MTB",
"display_name": "Backdoor:Win32/Berbew.AA!MTB",
"target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
},
{
"id": "Trojan:MSIL/AgentTesla.DW!MTB",
"display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
"target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Nemucod",
"display_name": "Nemucod",
"target": null
},
{
"id": "Berbew",
"display_name": "Berbew",
"target": null
},
{
"id": "PWS:Win32/Zbot.MS!MTB",
"display_name": "PWS:Win32/Zbot.MS!MTB",
"target": "/malware/PWS:Win32/Zbot.MS!MTB"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Exploit.Rozena-10038302-0",
"display_name": "Win.Exploit.Rozena-10038302-0",
"target": null
},
{
"id": "Zombie",
"display_name": "Zombie",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Dorv",
"display_name": "Dorv",
"target": null
},
{
"id": "Win.Malware.Pits-10035540-0",
"display_name": "Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "Exploit:Linux/CVE-2017-17215",
"display_name": "Exploit:Linux/CVE-2017-17215",
"target": "/malware/Exploit:Linux/CVE-2017-17215"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2022-26134",
"display_name": "CVE-2022-26134",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6051,
"hostname": 2627,
"FileHash-MD5": 401,
"FileHash-SHA1": 257,
"email": 11,
"domain": 1838,
"FileHash-SHA256": 1742,
"CVE": 4,
"SSLCertFingerprint": 3
},
"indicator_count": 12934,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "181 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6879093e8658df9f35683846",
"name": "Worm:Win32/Benjamin continues to impact network",
"description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.",
"modified": "2025-08-16T14:00:26.166000",
"created": "2025-07-17T14:31:26.824000",
"tags": [
"include review",
"data upload",
"extraction",
"read c",
"search",
"medium",
"show",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"entries",
"dock",
"write",
"execution",
"capture",
"next",
"copy",
"date",
"aaaa",
"present may",
"present nov",
"passive dns",
"ip address",
"domain",
"status",
"next associated",
"delete",
"iocs",
"failed",
"sc data",
"type",
"extr data",
"included",
"review iocs",
"memcommit",
"user execution",
"module load",
"t1129",
"icmp traffic",
"high",
"collection",
"cmd c",
"t1055",
"enter",
"extract",
"enter sc",
"drop or",
"browse t",
"oprop",
"extraction data",
"enter source",
"url or",
"texorag",
"browse",
"urls",
"dnssec",
"hostname add",
"pulse pulses",
"files",
"files ip",
"domainadmin",
"showing",
"ttl value",
"thumbprint",
"onlv",
"find",
"extri data",
"dran anu",
"extr",
"manually add",
"review exclude",
"sugges",
"find s",
"typ hos",
"se data",
"include data",
"review locs",
"exclude",
"suggested es",
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"worm",
"win32",
"benjamin",
"june",
"delphi",
"malware",
"nids",
"icmp delphi",
"yara detections",
"malware traffic",
"checkin",
"code",
"name servers",
"servers",
"pulses",
"expiration date",
"united",
"body",
"cookie",
"related tags",
"file type",
"pe packer",
"pm size",
"sha1 sha256",
"imphash pehash",
"virustotal api",
"screenshots",
"comments"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 536,
"FileHash-SHA1": 465,
"FileHash-SHA256": 1836,
"domain": 766,
"hostname": 960,
"URL": 2879,
"CVE": 1,
"email": 4
},
"indicator_count": 7447,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "291 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570908823f97b5559b71806",
"name": ";http://tiktok.hop3.pw/EaL8Ufp - Hybrid A report upliad",
"description": "",
"modified": "2023-12-06T15:17:28.460000",
"created": "2023-12-06T15:17:28.460000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 239,
"domain": 403,
"email": 10,
"URL": 1032,
"hostname": 561,
"FileHash-MD5": 84,
"FileHash-SHA1": 49
},
"indicator_count": 2378,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "910 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708d3fec7eeee20ce02403",
"name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage",
"description": "",
"modified": "2023-12-06T15:03:27.390000",
"created": "2023-12-06T15:03:27.390000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 1374,
"hostname": 792,
"domain": 517,
"URL": 1529,
"FileHash-MD5": 81,
"FileHash-SHA1": 71
},
"indicator_count": 4366,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "910 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708172b5b5810d62645bfe",
"name": "http://adwcleaner.malwarebytes.com/ and cloudfront hosts",
"description": "",
"modified": "2023-12-06T14:13:06.127000",
"created": "2023-12-06T14:13:06.127000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 516,
"FileHash-SHA256": 340,
"URL": 713,
"email": 3,
"domain": 356,
"FileHash-MD5": 119,
"FileHash-SHA1": 59,
"SSLCertFingerprint": 4
},
"indicator_count": 2110,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "910 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://shop.crowdfarmx.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://shop.crowdfarmx.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780514783.7483006
}