{ "type": "URL", "indicator": "https://status.bankid.no", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://status.bankid.no", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4096411625, "indicator": "https://status.bankid.no", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69f54c711cd17df01c20d601", "name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT", "description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T00:59:29.794000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 743, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4437, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5d960e861f6159823ff0b", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:00:48.440000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f54c711cd17df01c20d601", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 744, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4438, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da1228db82eb87274cab", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:03:46.995000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f5d960e861f6159823ff0b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 273, "hostname": 769, "URL": 1601, "FileHash-SHA256": 1576, "IPv4": 227, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4, "IPv6": 4 }, "indicator_count": 4760, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/", "coloradoproblemsolvingcourts.org?", "www.its.courts.state.co.us", "https://odr.coloradojudicial.gov/login", "https://www.sweetheartvideo.com/tsara-brashears", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "https://cp.bankid.no", "https://www.coloradojudicial.gov/data", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojandownloader:win32/nemucod", "Trojandownloader:win32/misfox", "Alf:trojan:win32/cassini_f2776388!ibt", "Tel:trojan:win32/injector.ab!msr", "Trojan:win32/gupboot.b", "Trojan:win32/scar.mr!mtb", "Alf:pulzati:trojan:win32/emotet!rfn", "Trojandownloader:win32/upatre", "Trojan:win32/blihan.a", "Trojandownloader:win32/vb.il", "Trojandownloader:win32/inbat.h", "Win.trojan.generic-9908275-0", "Win.trojan.killav-210", "Trojan:win32/zbot", "Trojandownloader:win32/systex.a", "Trojan:msil/snakekeylogger.mk1!mtb", "Malware packed", "Win.trojan.barys", "Trojan:win32/dorv.a", "Win.trojan.gh0strat-7480037-0", "Trojan:win32/glupteba.mt!mtb", "Trojan:win32/zombie.a", "Win.malware.jaik-9968280-0" ], "industries": [ "Government", "Technology", "Law" ], "unique_indicators": 18642 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bankid.no", "whois": "http://whois.domaintools.com/bankid.no", "domain": "bankid.no", "hostname": "status.bankid.no" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69f54c711cd17df01c20d601", "name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT", "description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T00:59:29.794000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 743, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4437, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5d960e861f6159823ff0b", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:00:48.440000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f54c711cd17df01c20d601", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 744, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4438, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da1228db82eb87274cab", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:03:46.995000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f5d960e861f6159823ff0b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 273, "hostname": 769, "URL": 1601, "FileHash-SHA256": 1576, "IPv4": 227, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4, "IPv6": 4 }, "indicator_count": 4760, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://status.bankid.no", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://status.bankid.no", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780225592.5424166 }