{
"type": "URL",
"indicator": "https://uzgenom.irrigationsystem.uz",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://uzgenom.irrigationsystem.uz",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3784697269,
"indicator": "https://uzgenom.irrigationsystem.uz",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 18,
"pulses": [
{
"id": "69a3c685d4b7c139ffe62930",
"name": "Clone Pulse Reference",
"description": "",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-03-01T04:54:29.384000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6906bd99cadbd4140014c6af",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 454,
"hostname": 1404,
"URL": 3557,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1,
"CVE": 1
},
"indicator_count": 6754,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690a2c38de1708af54217faa",
"name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
"description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
"modified": "2025-12-04T15:01:02.531000",
"created": "2025-11-04T16:39:20.035000",
"tags": [
"present aug",
"moved",
"encrypt",
"present jul",
"passive dns",
"ipv4 add",
"reverse dns",
"united states",
"present may",
"ip address",
"gmt content",
"ipv4",
"all ipv4",
"america",
"united",
"present oct",
"name servers",
"redacted for",
"emails",
"for privacy",
"unknown ns",
"unknown aaaa",
"dynamicloader",
"focus region",
"unicode text",
"utf16",
"ms windows",
"bokeh onlycanon",
"zeiss jena",
"mcsonnar",
"high",
"win64",
"stream",
"write",
"smartassembly",
"trailer",
"next",
"search",
"medium",
"as15169",
"write c",
"reads",
"team",
"malware",
"local",
"yara detections",
"delphi",
"strings",
"dcom",
"form",
"trojandropper",
"mtb nov",
"backdoor",
"otx telemetry",
"trojan",
"type",
"data upload",
"extraction",
"ol rop",
"hash avast",
"avg clamav",
"msdefender nov",
"win32upatre nov",
"win32berbew nov",
"dynamic",
"pe section",
"error",
"close",
"status",
"urls",
"expiration date",
"hostname",
"url analysis",
"yara rule",
"show",
"binary file",
"wine emulator",
"mtb oct",
"files",
"denmark asn",
"as32934",
"candyopen",
"possible",
"smoke loader",
"trojanspy",
"filehash",
"pulses otx",
"related tags",
"file type",
"no analysis",
"available",
"api key",
"screenshots",
"present nov",
"aaaa",
"mtb may",
"mexico",
"hostname add",
"registrar",
"domain add",
"location united",
"email add",
"none related",
"domains",
"email domain",
"service",
"domain",
"america flag",
"body",
"title",
"aws dns",
"next associated",
"risepro",
"guard",
"v full",
"reports v",
"t1059 shared",
"modules",
"t1129 system",
"t1569",
"help v",
"t1179 boot",
"logon autost",
"encoding",
"packing f0001",
"hidden files",
"e1203 windows",
"file attributes",
"registry value",
"catalog tree",
"analysis ob0001",
"evasion b0003",
"virtual machine",
"ip traffic",
"memory pattern",
"pattern urls",
"tls sni",
"get https",
"post https",
"named pipe",
"delete c",
"radar",
"defender",
"format",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"country",
"contacted hosts",
"process details",
"flag",
"globalc",
"intel",
"win32",
"worm",
"path",
"explorer",
"script",
"href",
"external",
"html content",
"tulach",
"hallrender",
"tam legal",
"brian sabey",
"christopher ahmann",
"apple",
"msie",
"chrome",
"ascio",
"creation date",
"date",
"germany unknown",
"germany asn",
"files ip",
"address",
"asn as24940",
"less",
"script urls",
"a domains",
"prox",
"dennis schrder",
"meta",
"apache",
"99u25f.exe",
"entries",
"as24940 hetzner",
"dns resolutions",
"status code",
"body length",
"kb body",
"software/ hardware",
"external-resources",
"password-input",
"overview",
"colorado"
],
"references": [
"https://shift.gearboxsoftware.com/link",
"https://tulach.cc/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://www.turbo.net/run/videolan/vlc",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
],
"public": 1,
"adversary": "Colorado Quasi Government | Workerk Compensation",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9878032-0",
"display_name": "Win.Trojan.Generic-9878032-0",
"target": null
},
{
"id": "Win.Trojan.Starter-171",
"display_name": "Win.Trojan.Starter-171",
"target": null
},
{
"id": "GravityRAT",
"display_name": "GravityRAT",
"target": null
},
{
"id": "Backdoor:Win32/Berbew.AA!MTB",
"display_name": "Backdoor:Win32/Berbew.AA!MTB",
"target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
},
{
"id": "Trojan:MSIL/AgentTesla.DW!MTB",
"display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
"target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Nemucod",
"display_name": "Nemucod",
"target": null
},
{
"id": "Berbew",
"display_name": "Berbew",
"target": null
},
{
"id": "PWS:Win32/Zbot.MS!MTB",
"display_name": "PWS:Win32/Zbot.MS!MTB",
"target": "/malware/PWS:Win32/Zbot.MS!MTB"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Exploit.Rozena-10038302-0",
"display_name": "Win.Exploit.Rozena-10038302-0",
"target": null
},
{
"id": "Zombie",
"display_name": "Zombie",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Dorv",
"display_name": "Dorv",
"target": null
},
{
"id": "Win.Malware.Pits-10035540-0",
"display_name": "Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "Exploit:Linux/CVE-2017-17215",
"display_name": "Exploit:Linux/CVE-2017-17215",
"target": "/malware/Exploit:Linux/CVE-2017-17215"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2022-26134",
"display_name": "CVE-2022-26134",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6051,
"hostname": 2627,
"FileHash-MD5": 401,
"FileHash-SHA1": 257,
"email": 11,
"domain": 1838,
"FileHash-SHA256": 1742,
"CVE": 4,
"SSLCertFingerprint": 3
},
"indicator_count": 12934,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "136 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6906bd99cadbd4140014c6af",
"name": "Espionage - Gravity RAT + | Legal entities are State owned. Attacking severely injured PT\u2019s SA victim.",
"description": "Fastly CDN for Palantir (Verizon) unless updated. Very malicious IoC\u2019s found evaluating IoC\u2019 from Christopher Ahmann - TAM Legal link.\n- Made contact with victim several times.\n- Illegal contact made with attorneys considering representing Tsara. \n- https://unicef.se/assets/apple - link related to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage.\n\nAhmann is named as special counsel but he , like Brian Sabey are \u2018ONLY\u2019 cyber attacking Tsara Brashears.\n\n- protecting Jeffrey Reimer DPT, multiple doctors, Concentra, blocked and denied care , hired a hitman/men and it would have. Even cheaper to pay her for the injuries she never sought compensation for due to aggressive attacks and threats.",
"modified": "2025-12-02T01:05:30.331000",
"created": "2025-11-02T02:10:33.546000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 449,
"hostname": 1403,
"URL": 3552,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1
},
"indicator_count": 6742,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69069167e1e2a222bd7762f2",
"name": "Palantir - Spyware",
"description": "",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-11-01T23:01:59.339000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": "68f9a1ef2dd26ec62a3c298c",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 57,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9a6f4e35193c04401daaf",
"name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians",
"description": "",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-10-23T03:54:28.671000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": "68f9a1ef2dd26ec62a3c298c",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9a1ef2dd26ec62a3c298c",
"name": "Listeners - Malicious Over the top espionage | Cyber Warfare?",
"description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-10-23T03:33:03.315000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 180,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6888a85aa32aab22f638d0e6",
"name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]",
"description": "",
"modified": "2025-07-29T10:54:18.501000",
"created": "2025-07-29T10:54:18.501000",
"tags": [
"healthy check",
"ssl bypass",
"domain tracker",
"privacy badger",
"startpage",
"w11 pc",
"pass",
"iocs",
"all scoreblue",
"pdf report",
"pcap",
"stix",
"avast avg",
"no expiration",
"status",
"name servers",
"moved",
"h1 center",
"next",
"sec ch",
"ch ua",
"ua platform",
"emails",
"certificate",
"passive dns",
"urls",
"encrypt",
"body",
"pe32 executable",
"ms windows",
"intel",
"windows control",
"panel item",
"dos borland",
"executable",
"algorithm",
"thumbprint",
"serial number",
"signing ca",
"symantec time",
"stamping",
"g2 name",
"g2 issuer",
"class",
"code",
"kb pe",
"csc corporate",
"porkbun llc",
"gandi sas",
"request",
"path",
"get https",
"get http",
"response",
"cachecontrol",
"pragma",
"connection",
"gmt connection",
"accept",
"slug",
"as29789",
"united",
"unknown",
"ransom",
"heur",
"server",
"registrar abuse",
"san rafael",
"autodesk",
"contact phone",
"registrar url",
"process32nextw",
"create c",
"read c",
"writeconsolew",
"delete",
"write",
"show",
"malware",
"write c",
"regsetvalueexa",
"delete c",
"search",
"regdword",
"whitelisted",
"panda banker",
"ursnif",
"win32",
"persistence",
"execution",
"banker",
"local",
"domain",
"servers",
"pulse pulses",
"files",
"ip address",
"creation date",
"united kingdom",
"as9009 m247",
"ipv4",
"pulse submit",
"url analysis",
"twitter",
"as16552 tiggee",
"as397241",
"as397240",
"entries",
"cname",
"nxdomain",
"a nxdomain",
"worm",
"file samples",
"files matching",
"alf features",
"denver co",
"wewatta",
"scan endpoints",
"related pulses",
"date hash",
"showing",
"as62597 nsone",
"date",
"trojanspy",
"cookie",
"hostmaster",
"expiration date",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tls handshake",
"et info",
"getdc0x2a",
"failure",
"post http",
"copy",
"crash",
"ascii text",
"ascii",
"jpeg image",
"artemis",
"trojan",
"virustotal",
"mike",
"vipre",
"panda",
"win32mediadrug",
"win324shared",
"win32spigot",
"hstr",
"lowfi",
"yara detections",
"contacted",
"report spam",
"mozilla",
"trojanclicker",
"url http",
"url https",
"role title",
"added active",
"type indicator",
"source domain",
"akamai rank",
"hostname",
"ver2",
"msclkidn",
"vids0",
"global outage",
"cobalt strike",
"fancy bear",
"communications",
"android device",
"cnc beacon",
"suspicious ua",
"youtube",
"sakula rat",
"mivast",
"sakula",
"windows",
"samuel tulach",
"light dark",
"samuel",
"tulach",
"hyperv",
"detecting",
"writing gui",
"bootkits",
"world",
"information",
"discovery",
"t1027",
"t1057",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1129",
"capture",
"service",
"t1119"
],
"references": [
"autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.",
"66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com",
"keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |",
"Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21",
"IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection",
"Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c",
"IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure",
"Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy",
"RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,",
"RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386",
"Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com",
"Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |",
"Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com",
"Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com",
"Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |",
"Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com",
"Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned",
"Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606",
"Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com",
"Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png",
"Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257",
"Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world",
"Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot",
"The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse",
"Above links in search results direct out with and arrow pointing out.",
"https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente",
"Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.",
"I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,",
"boot.net.anydesk.com removed from my Pulse below",
"https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "Win32:Mystic",
"display_name": "Win32:Mystic",
"target": null
},
{
"id": "Win.Trojan.Xblocker-236",
"display_name": "Win.Trojan.Xblocker-236",
"target": null
},
{
"id": "Ransom:Win32/Genasom",
"display_name": "Ransom:Win32/Genasom",
"target": "/malware/Ransom:Win32/Genasom"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "ALF:JASYP:Backdoor:Win32/Cycbot",
"display_name": "ALF:JASYP:Backdoor:Win32/Cycbot",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TrojanSpy:Win32/Usteal",
"display_name": "TrojanSpy:Win32/Usteal",
"target": "/malware/TrojanSpy:Win32/Usteal"
},
{
"id": "Win.Trojan.PoetRat-7669676-0",
"display_name": "Win.Trojan.PoetRat-7669676-0",
"target": null
},
{
"id": "Mivast",
"display_name": "Mivast",
"target": null
},
{
"id": "Sakula",
"display_name": "Sakula",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "66d89c45ddc0c7db084b75b7",
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1417,
"FileHash-SHA1": 1165,
"FileHash-SHA256": 6536,
"URL": 6112,
"domain": 1340,
"hostname": 2654,
"email": 15,
"SSLCertFingerprint": 9
},
"indicator_count": 19248,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "264 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66d89c45ddc0c7db084b75b7",
"name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed",
"description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.",
"modified": "2024-10-04T17:02:07.067000",
"created": "2024-09-04T17:43:33.123000",
"tags": [
"healthy check",
"ssl bypass",
"domain tracker",
"privacy badger",
"startpage",
"w11 pc",
"pass",
"iocs",
"all scoreblue",
"pdf report",
"pcap",
"stix",
"avast avg",
"no expiration",
"status",
"name servers",
"moved",
"h1 center",
"next",
"sec ch",
"ch ua",
"ua platform",
"emails",
"certificate",
"passive dns",
"urls",
"encrypt",
"body",
"pe32 executable",
"ms windows",
"intel",
"windows control",
"panel item",
"dos borland",
"executable",
"algorithm",
"thumbprint",
"serial number",
"signing ca",
"symantec time",
"stamping",
"g2 name",
"g2 issuer",
"class",
"code",
"kb pe",
"csc corporate",
"porkbun llc",
"gandi sas",
"request",
"path",
"get https",
"get http",
"response",
"cachecontrol",
"pragma",
"connection",
"gmt connection",
"accept",
"slug",
"as29789",
"united",
"unknown",
"ransom",
"heur",
"server",
"registrar abuse",
"san rafael",
"autodesk",
"contact phone",
"registrar url",
"process32nextw",
"create c",
"read c",
"writeconsolew",
"delete",
"write",
"show",
"malware",
"write c",
"regsetvalueexa",
"delete c",
"search",
"regdword",
"whitelisted",
"panda banker",
"ursnif",
"win32",
"persistence",
"execution",
"banker",
"local",
"domain",
"servers",
"pulse pulses",
"files",
"ip address",
"creation date",
"united kingdom",
"as9009 m247",
"ipv4",
"pulse submit",
"url analysis",
"twitter",
"as16552 tiggee",
"as397241",
"as397240",
"entries",
"cname",
"nxdomain",
"a nxdomain",
"worm",
"file samples",
"files matching",
"alf features",
"denver co",
"wewatta",
"scan endpoints",
"related pulses",
"date hash",
"showing",
"as62597 nsone",
"date",
"trojanspy",
"cookie",
"hostmaster",
"expiration date",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tls handshake",
"et info",
"getdc0x2a",
"failure",
"post http",
"copy",
"crash",
"ascii text",
"ascii",
"jpeg image",
"artemis",
"trojan",
"virustotal",
"mike",
"vipre",
"panda",
"win32mediadrug",
"win324shared",
"win32spigot",
"hstr",
"lowfi",
"yara detections",
"contacted",
"report spam",
"mozilla",
"trojanclicker",
"url http",
"url https",
"role title",
"added active",
"type indicator",
"source domain",
"akamai rank",
"hostname",
"ver2",
"msclkidn",
"vids0",
"global outage",
"cobalt strike",
"fancy bear",
"communications",
"android device",
"cnc beacon",
"suspicious ua",
"youtube",
"sakula rat",
"mivast",
"sakula",
"windows",
"samuel tulach",
"light dark",
"samuel",
"tulach",
"hyperv",
"detecting",
"writing gui",
"bootkits",
"world",
"information",
"discovery",
"t1027",
"t1057",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1129",
"capture",
"service",
"t1119"
],
"references": [
"autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.",
"66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com",
"keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |",
"Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21",
"IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection",
"Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c",
"IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure",
"Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy",
"RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,",
"RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386",
"Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com",
"Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |",
"Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com",
"Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com",
"Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |",
"Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com",
"Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned",
"Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606",
"Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com",
"Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png",
"Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257",
"Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world",
"Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot",
"The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse",
"Above links in search results direct out with and arrow pointing out.",
"https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente",
"Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.",
"I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,",
"boot.net.anydesk.com removed from my Pulse below",
"https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "Win32:Mystic",
"display_name": "Win32:Mystic",
"target": null
},
{
"id": "Win.Trojan.Xblocker-236",
"display_name": "Win.Trojan.Xblocker-236",
"target": null
},
{
"id": "Ransom:Win32/Genasom",
"display_name": "Ransom:Win32/Genasom",
"target": "/malware/Ransom:Win32/Genasom"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "ALF:JASYP:Backdoor:Win32/Cycbot",
"display_name": "ALF:JASYP:Backdoor:Win32/Cycbot",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TrojanSpy:Win32/Usteal",
"display_name": "TrojanSpy:Win32/Usteal",
"target": "/malware/TrojanSpy:Win32/Usteal"
},
{
"id": "Win.Trojan.PoetRat-7669676-0",
"display_name": "Win.Trojan.PoetRat-7669676-0",
"target": null
},
{
"id": "Mivast",
"display_name": "Mivast",
"target": null
},
{
"id": "Sakula",
"display_name": "Sakula",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1417,
"FileHash-SHA1": 1165,
"FileHash-SHA256": 6536,
"URL": 6112,
"domain": 1340,
"hostname": 2654,
"email": 15,
"SSLCertFingerprint": 9
},
"indicator_count": 19248,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "562 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e57f32581a900dfb272d05",
"name": "FormBook | 172.31.13.249",
"description": "",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:58:42.074000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e576d419524d75af35a36e",
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e576d419524d75af35a36e",
"name": "FormBook",
"description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:23:00.177000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e3d1a94659d50264a78fd4",
"name": "Phishing | TabExplorer attacks compromised networks and devices",
"description": "",
"modified": "2024-04-02T01:01:20.068000",
"created": "2024-03-03T01:26:01.043000",
"tags": [
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"suricata udpv4",
"date",
"united",
"windows nt",
"win64",
"hybrid",
"general",
"click",
"strings",
"contact",
"url http",
"url https",
"scan endpoints",
"all octoseek",
"report spam",
"hour ago",
"whois record",
"glasgow",
"scan",
"iocs",
"next",
"filehashsha256",
"filehashmd5",
"filehashsha1",
"ipv4",
"contacted",
"execution",
"pe resource",
"communicating",
"urls http",
"referrer",
"resolutions",
"whois whois",
"collections ip",
"phishing",
"attack",
"loaded module",
"remote procedure call",
"search",
"as15133 verizon",
"passive dns",
"urls",
"creation date",
"record value",
"showing",
"unknown",
"as8075",
"as15169 google",
"as8068",
"aaaa",
"cname",
"a domains",
"meta",
"entries",
"gmt server",
"ecacc saa83dd",
"cobalt strike",
"mozilla",
"body",
"brian sabey",
"hallrender",
"dynamicloader",
"show",
"alerts",
"trojan",
"copy",
"dynamic",
"medium",
"reads",
"write",
"stealth network",
"stealth_network",
"script urls",
"certificate",
"rsa sha256",
"exports data",
"high",
"yara rule",
"yara detections",
"njrat",
"cape",
"njrat malware",
"sniffs",
"guard",
"write c",
"delete c",
"ms windows",
"default",
"intel",
"openpgp public",
"stream",
"antivm_generic_disk",
"antivm_generic_bios",
"network_bind",
"stealth_file spawns_dev_utility",
"procmem_yara",
"enumerates_physical_drives",
"persistence_ads",
"dynamic_function_loading",
"reads_self",
"suspicious_command_tools",
"network",
"rat"
],
"references": [
"http://www.tabxexplorer.com [phishing]",
"http://www.tabxexplorer.com/lenovo",
"GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"identity_helper.exe",
"cdn.easykeys.com",
"hive21.ctcsoftware.com",
"www.moxa.com",
"msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com",
"IDS Detections: Cobalt Strike Malleable C2 JQuery",
"IDS Detections: Nullsoft Mozilla UA (NSISDL)",
"IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))",
"IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)",
"IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe",
"Tulach Malware: 114.114.114.114",
"ns3.hallgrandsale.ru",
"AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30",
"AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3",
"Yara Detection: Nullsoft_NSIS"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "ALF:Trojan:MSIL/AgentTesla.KM",
"display_name": "ALF:Trojan:MSIL/AgentTesla.KM",
"target": null
},
{
"id": "ALF:Win32/GbdInf_305B1C9A.J!ibt",
"display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt",
"target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HackTool:Win32/CobaltStrike.A",
"display_name": "HackTool:Win32/CobaltStrike.A",
"target": "/malware/HackTool:Win32/CobaltStrike.A"
},
{
"id": "HackTool:Win32/Atosev.A",
"display_name": "HackTool:Win32/Atosev.A",
"target": "/malware/HackTool:Win32/Atosev.A"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Win.Malware.Generickdz-9938530-0",
"display_name": "Win.Malware.Generickdz-9938530-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Civil Society",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 55,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5551,
"hostname": 1690,
"domain": 929,
"FileHash-SHA256": 2696,
"FileHash-MD5": 405,
"FileHash-SHA1": 315,
"email": 4,
"SSLCertFingerprint": 1
},
"indicator_count": 11591,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "747 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65c1cdc5d695c35205593bde",
"name": "https://callback.mobileboost.me",
"description": "cobalt strike cnc, malware, network, execution, antivm_queries_computername, tulach, schema abuse, callback, contact, malicious, boost mobile, t-mobile, targets,Tsara, brashears, cyber threat, hacking, sabey, data center, cyber, cp",
"modified": "2024-03-07T05:01:03.052000",
"created": "2024-02-06T06:12:21.372000",
"tags": [
"passive dns",
"urls",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"files",
"domain",
"files ip",
"address domain",
"url https",
"http",
"files domain",
"files related",
"cname",
"united",
"unknown",
"nxdomain",
"a nxdomain",
"ssl certificate",
"contacted",
"whois record",
"resolutions",
"whois whois",
"historical ssl",
"referrer",
"problems",
"execution",
"subdomains",
"startpage",
"simda",
"first",
"utc submissions",
"submitters",
"psiusa",
"domain robot",
"csc corporate",
"domains",
"tucows",
"ltd dba",
"com laude",
"twitter",
"indonesia",
"installer",
"kgs0",
"kls0",
"redlinestealer",
"kangen",
"china telecom",
"group",
"computer",
"company limited",
"summary iocs",
"malware",
"network",
"obz4usfn0 http",
"contacted urls",
"gootloader",
"iframe",
"stus",
"cnus",
"regsetvalueexa",
"cobalt strike",
"search",
"regdword",
"ssl cert",
"tlsv1 apr",
"cobaltstrike",
"trojan",
"copy",
"write",
"june",
"win64",
"porkbun llc",
"mb opera",
"china unicom",
"tmobileas21928",
"graph community",
"china education",
"center",
"showing",
"entries"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1874,
"hostname": 2812,
"URL": 8308,
"FileHash-SHA256": 5549,
"FileHash-MD5": 364,
"FileHash-SHA1": 326,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 19237,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "773 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b93e70b75e7dce7168f4dd",
"name": "Google - Lumma Stealer| QakBot | Emotet",
"description": "Lumma is classified as a stealer - a type of malware that extracts sensitive information from infected devices.\n\nYou can't see it. You will see https://www.google.com and your search. It's hidden spyware. extremely malicious. Targeted individual.",
"modified": "2024-02-29T17:01:09.717000",
"created": "2024-01-30T18:22:40.905000",
"tags": [
"ssl certificate",
"whois record",
"threat roundup",
"contacted",
"historical ssl",
"referrer",
"urls url",
"whois whois",
"october",
"resolutions",
"august",
"execution",
"installer",
"iframe",
"malware",
"core",
"emotet",
"lumma stealer",
"ransomexx",
"azorult",
"ursnif",
"hacktool",
"june",
"qakbot",
"qbot",
"april",
"targeting",
"tsara brashears",
"active threat"
],
"references": [
"google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker]",
"toolbarqueries.google.com.uy"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
}
],
"attack_ids": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1030",
"name": "Data Transfer Size Limits",
"display_name": "T1030 - Data Transfer Size Limits"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 50,
"FileHash-SHA1": 46,
"FileHash-SHA256": 3377,
"hostname": 2502,
"URL": 8531,
"domain": 1250,
"CVE": 2
},
"indicator_count": 15758,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "780 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6585b18d61efd8798827c12a",
"name": "Potential Poodle Attack against a server | Injection | Threat Network",
"description": "",
"modified": "2024-01-21T15:01:52.390000",
"created": "2023-12-22T15:55:57.639000",
"tags": [
"whois record",
"ssl certificate",
"threat roundup",
"december",
"whois whois",
"historical ssl",
"referrer",
"problems",
"november",
"tsara brashears",
"startpage",
"core",
"hacktool",
"vhash",
"authentihash",
"imphash",
"rich pe",
"ssdeep",
"file type",
"win32 dll",
"magic pe32",
"intel",
"ms windows",
"compiler",
"no data",
"tag count",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"iocs",
"sample summary",
"as54113",
"united",
"xamzexpires300",
"unknown",
"a domains",
"passive dns",
"entries",
"github pages",
"request id",
"sea x",
"virtool",
"accept",
"cache",
"hit x",
"date hash",
"avast avg",
"files show",
"execution",
"contacted",
"threat analyzer",
"threat",
"paste",
"hostnames",
"urls http",
"noname057",
"generic malware",
"threat report",
"ip summary",
"url summary",
"summary",
"generic",
"inject",
"!#AddsCopyToStartup",
"SLF:Exploit:Win32/UACPathBypass.A",
"SSL excessive fatal alerts (possible POODLE attack against serve",
"injector",
"185.199.108.133",
"malware infection",
"link",
"name servers",
"date",
"title",
"urls",
"domain robot",
"for privacy",
"redacted for",
"expiration date",
"emotet",
"upx",
"msil",
"trojan",
"malware",
"apple",
"data collection",
"privilege escalation",
"evasive",
"show",
"scan endpoints",
"all octoseek",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"copy",
"threat network",
"service modification",
"target",
"targeting an individual",
"cybercrime",
"fraud services",
"attack",
"africa",
"libel",
"password cracker",
"ios"
],
"references": [
"frostwire-5.3.9.windows.exe",
"185.199.108.133",
"cdn-185-199-108-133.github.com",
"AS : AS16509 Amazon.com, Inc",
"SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe",
"IP : 54.192.29.164",
"https://otx.alienvault.com/indicator/ip/185.199.108.133",
"Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133",
"YARA Rules",
"Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"Matches rule UPX from ruleset UPX by kevoreilly",
"REFERENCE: https://goo.gl/hXbwiV",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command",
"More information: https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]",
"https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]",
"www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]",
"www.anyxxxtube.net",
"https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]",
"phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]",
"louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]",
"103.246.145.111 [malware]",
"x.ss2.us",
"nr-data.net [Apple Private Data Collection]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Magic",
"display_name": "Magic",
"target": null
},
{
"id": "Multios.Coinminer.Miner-6781728-2",
"display_name": "Multios.Coinminer.Miner-6781728-2",
"target": null
},
{
"id": "Win32/Ispen BADNEWS Fake User-Agent",
"display_name": "Win32/Ispen BADNEWS Fake User-Agent",
"target": null
},
{
"id": "Babulya/CollectorStealer User-Agent",
"display_name": "Babulya/CollectorStealer User-Agent",
"target": null
},
{
"id": "Win.Malware.Generic-9820446-0",
"display_name": "Win.Malware.Generic-9820446-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "VirTool:MSIL/Obfuscator.BV",
"display_name": "VirTool:MSIL/Obfuscator.BV",
"target": "/malware/VirTool:MSIL/Obfuscator.BV"
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "ALF:HSTR:HackTool:ExtremeInjector.S01",
"display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn",
"display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn",
"target": null
},
{
"id": "!#HSTR:Win32/Spectorsoft",
"display_name": "!#HSTR:Win32/Spectorsoft",
"target": "/malware/!#HSTR:Win32/Spectorsoft"
},
{
"id": "ALF:Base64EncodeFunctionMonitorW",
"display_name": "ALF:Base64EncodeFunctionMonitorW",
"target": null
},
{
"id": "185.199.108.133.Malware_Host",
"display_name": "185.199.108.133.Malware_Host",
"target": null
},
{
"id": "adware.opencandy",
"display_name": "adware.opencandy",
"target": null
},
{
"id": "Malvertizing",
"display_name": "Malvertizing",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1872,
"FileHash-SHA1": 1140,
"FileHash-SHA256": 2367,
"URL": 1969,
"domain": 327,
"hostname": 1025,
"email": 1
},
"indicator_count": 8701,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "819 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6585b183175afafb5e3bfff5",
"name": "Potential Poodle Attack against a server | Injection | Threat Network",
"description": "",
"modified": "2024-01-21T15:01:52.390000",
"created": "2023-12-22T15:55:47.977000",
"tags": [
"whois record",
"ssl certificate",
"threat roundup",
"december",
"whois whois",
"historical ssl",
"referrer",
"problems",
"november",
"tsara brashears",
"startpage",
"core",
"hacktool",
"vhash",
"authentihash",
"imphash",
"rich pe",
"ssdeep",
"file type",
"win32 dll",
"magic pe32",
"intel",
"ms windows",
"compiler",
"no data",
"tag count",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"iocs",
"sample summary",
"as54113",
"united",
"xamzexpires300",
"unknown",
"a domains",
"passive dns",
"entries",
"github pages",
"request id",
"sea x",
"virtool",
"accept",
"cache",
"hit x",
"date hash",
"avast avg",
"files show",
"execution",
"contacted",
"threat analyzer",
"threat",
"paste",
"hostnames",
"urls http",
"noname057",
"generic malware",
"threat report",
"ip summary",
"url summary",
"summary",
"generic",
"inject",
"!#AddsCopyToStartup",
"SLF:Exploit:Win32/UACPathBypass.A",
"SSL excessive fatal alerts (possible POODLE attack against serve",
"injector",
"185.199.108.133",
"malware infection",
"link",
"name servers",
"date",
"title",
"urls",
"domain robot",
"for privacy",
"redacted for",
"expiration date",
"emotet",
"upx",
"msil",
"trojan",
"malware",
"apple",
"data collection",
"privilege escalation",
"evasive",
"show",
"scan endpoints",
"all octoseek",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"copy",
"threat network",
"service modification",
"target",
"targeting an individual",
"cybercrime",
"fraud services",
"attack",
"africa",
"libel",
"password cracker",
"ios"
],
"references": [
"frostwire-5.3.9.windows.exe",
"185.199.108.133",
"cdn-185-199-108-133.github.com",
"AS : AS16509 Amazon.com, Inc",
"SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe",
"IP : 54.192.29.164",
"https://otx.alienvault.com/indicator/ip/185.199.108.133",
"Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133",
"YARA Rules",
"Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"Matches rule UPX from ruleset UPX by kevoreilly",
"REFERENCE: https://goo.gl/hXbwiV",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command",
"More information: https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]",
"https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]",
"www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]",
"www.anyxxxtube.net",
"https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]",
"phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]",
"louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]",
"103.246.145.111 [malware]",
"x.ss2.us",
"nr-data.net [Apple Private Data Collection]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Magic",
"display_name": "Magic",
"target": null
},
{
"id": "Multios.Coinminer.Miner-6781728-2",
"display_name": "Multios.Coinminer.Miner-6781728-2",
"target": null
},
{
"id": "Win32/Ispen BADNEWS Fake User-Agent",
"display_name": "Win32/Ispen BADNEWS Fake User-Agent",
"target": null
},
{
"id": "Babulya/CollectorStealer User-Agent",
"display_name": "Babulya/CollectorStealer User-Agent",
"target": null
},
{
"id": "Win.Malware.Generic-9820446-0",
"display_name": "Win.Malware.Generic-9820446-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "VirTool:MSIL/Obfuscator.BV",
"display_name": "VirTool:MSIL/Obfuscator.BV",
"target": "/malware/VirTool:MSIL/Obfuscator.BV"
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "ALF:HSTR:HackTool:ExtremeInjector.S01",
"display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn",
"display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn",
"target": null
},
{
"id": "!#HSTR:Win32/Spectorsoft",
"display_name": "!#HSTR:Win32/Spectorsoft",
"target": "/malware/!#HSTR:Win32/Spectorsoft"
},
{
"id": "ALF:Base64EncodeFunctionMonitorW",
"display_name": "ALF:Base64EncodeFunctionMonitorW",
"target": null
},
{
"id": "185.199.108.133.Malware_Host",
"display_name": "185.199.108.133.Malware_Host",
"target": null
},
{
"id": "adware.opencandy",
"display_name": "adware.opencandy",
"target": null
},
{
"id": "Malvertizing",
"display_name": "Malvertizing",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1872,
"FileHash-SHA1": 1140,
"FileHash-SHA256": 2367,
"URL": 1969,
"domain": 327,
"hostname": 1025,
"email": 1
},
"indicator_count": 8701,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "819 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655dafbe9ac9ac786fde45ad",
"name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking",
"description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]",
"modified": "2023-12-22T06:03:01.993000",
"created": "2023-11-22T07:37:34.595000",
"tags": [
"united",
"as22612",
"as2637",
"creation date",
"search",
"moved",
"expiration date",
"date",
"showing",
"as397240",
"next",
"entries",
"scan endpoints",
"all octoseek",
"dns replication",
"win32 exe",
"network capture",
"android",
"android adaway",
"html",
"files",
"detections type",
"name",
"office open",
"xml document",
"namecheap",
"namecheap inc",
"whois lookups",
"win32 dll",
"text",
"wextract",
"text htaccess",
"powershell",
"detection list",
"blacklist",
"first",
"ssl certificate",
"whois record",
"contacted",
"december",
"whois whois",
"threat roundup",
"historical ssl",
"problems",
"referrer",
"pe resource",
"startpage",
"cyber threat",
"redline stealer",
"mail spammer",
"hostname",
"phishing site",
"malicious site",
"installcore",
"http spammer",
"malware site",
"malware",
"generic malware",
"heur",
"generic",
"alexa top",
"million",
"site",
"cisco umbrella",
"alexa",
"ip address",
"algorithm",
"data",
"v3 serial",
"number",
"cat cnzerossl",
"ecc domain",
"secure site",
"ca ozerossl",
"validity",
"subject public",
"server",
"email",
"code",
"registrar abuse",
"country",
"privacy service",
"withheld",
"privacy",
"domain name",
"pattern match",
"ascii text",
"appdata",
"file",
"windows nt",
"svg scalable",
"vector graphics",
"indicator",
"gif image",
"accept",
"hybrid",
"general",
"local",
"pixel",
"click",
"twitter",
"strings",
"class",
"generator",
"critical",
"command_and_control",
"spyware",
"tracking",
"voicemail access",
"dga",
"apple"
],
"references": [
"https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e",
"\u2193Interesting\u2193",
"IPv4 198.54.117.211 command_and_control",
"IPv4 198.54.117.210 command_and_control",
"IPv4 198.54.117.212 command_and_control",
"IPv4 198.54.117.215 command_and_control",
"IPv4 198.54.117.217 command_and_control",
"IPv4 198.54.117.218 command_and_control",
"apple-securityiphone-icloud.com",
"tx-p2p-pull.video-voip.com.dorm.com",
"http://updates.voicemailaccess.net/b0f6a00b15311023",
"tvapp-server.de",
"zeustracker.abuse.ch",
"ransomwaretracker.abuse.ch",
"http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid",
"louisianarooflawyers.com [phishing]",
"hasownproperty.call"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 105,
"FileHash-SHA1": 100,
"FileHash-SHA256": 3072,
"domain": 1188,
"email": 5,
"URL": 7940,
"hostname": 1925,
"CVE": 1
},
"indicator_count": 14336,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "849 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]",
"Tulach Malware: 114.114.114.114",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"Can the DoD no questions asked target a SA victim",
"AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30",
"zeustracker.abuse.ch",
"cdn.easykeys.com",
"x.ss2.us",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"YARA Rules",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]",
"Matches rule UPX from ruleset UPX by kevoreilly",
"\u2193Interesting\u2193",
"frostwire-5.3.9.windows.exe",
"toolbarqueries.google.com.uy",
"More information: https://www.nextron-systems.com/notes-on-virustotal-matches/",
"66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://meumundogay-com.sexogratis.page/locker",
"Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"http://updates.voicemailaccess.net/b0f6a00b15311023",
"IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection",
"Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |",
"Yara Detection: Nullsoft_NSIS",
"IPv4 198.54.117.217 command_and_control",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |",
"Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"IP : 54.192.29.164",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]",
"Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy",
"Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente",
"I am very upset. Whoever is doing this is sick.",
"tx-p2p-pull.video-voip.com.dorm.com",
"boot.net.anydesk.com removed from my Pulse below",
"Unsupported/Fake Windows NT Version 5.0",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host]",
"https://otx.alienvault.com/indicator/ip/185.199.108.133",
"Above links in search results direct out with and arrow pointing out.",
"IDS Detections: Cobalt Strike Malleable C2 JQuery",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,",
"https://es.pornhat.com/models/the-sex-creator/",
"phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]",
"185.199.108.133",
"GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"IPv4 198.54.117.218 command_and_control",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |",
"IDS Detections: Nullsoft Mozilla UA (NSISDL)",
"www.anyxxxtube.net",
"Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21",
"tvapp-server.de",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"There is fear in silence or speaking out",
"gstatic.com",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"http://www.tabxexplorer.com [phishing]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker]",
"hasownproperty.call",
"http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command",
"ransomwaretracker.abuse.ch",
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy.",
"Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png",
"msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com",
"IPv4 198.54.117.212 command_and_control",
"The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure",
"Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned",
"103.246.145.111 [malware]",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"apple-securityiphone-icloud.com",
"cdn-185-199-108-133.github.com",
"AS : AS16509 Amazon.com, Inc",
"https://shift.gearboxsoftware.com/link",
"ns3.hallgrandsale.ru",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"Login privileges",
"Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"www.moxa.com",
"Fastly Error and Palantir blocked several times over the last few months.",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com",
"https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d",
"Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs",
"https://www.turbo.net/run/videolan/vlc",
"IPv4 198.54.117.210 command_and_control",
"louisianarooflawyers.com [phishing]",
"IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))",
"https://tulach.cc/",
"Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world",
"Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |",
"identity_helper.exe",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com",
"https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Target agreed and complied with all lie detector measures.",
"If someone is believed to be a threat they have right to due process.",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"hive21.ctcsoftware.com",
"http://www.tabxexplorer.com/lenovo",
"REFERENCE: https://goo.gl/hXbwiV",
"autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.",
"https://unicef.se/assets/apple",
"IPv4 198.54.117.215 command_and_control",
"SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IPv4 198.54.117.211 command_and_control",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml",
"172.31.13.249",
"iamrobert.com Y.A.S.",
"IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)",
"AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |",
"Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com",
"Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Colorado Quasi Government | Workerk Compensation",
"Quickstart"
],
"malware_families": [
"Magic",
"Multios.coinminer.miner-6781728-2",
"Win.trojan.xblocker-236",
"Trojan:win32/zombie.a",
"#lowfienabledtcontinueafterunpacking",
"Win.malware.generickdz-9938530-0",
"Alf:jasyp:backdoor:win32/cycbot",
"Trojan:win32/dorv.b!rfn",
"Dorv",
"Blacknet",
"Ransom:win32/cve-2017-0147",
"Multiple malware attack",
"Hacktool:win32/atosev.a",
"Trojan:win32/neconyd.a",
"Trojanspy",
"Virtool",
"Ransomexx",
"Upatre",
"Alf:hstr:hacktool:extremeinjector.s01",
"Mivast",
"Berbew",
"Cve-2022-26134",
"Trojanspy:win32/usteal",
"#lowfi:hstr:msil/possibledownloader.s01",
"Cve-2023-4966",
"Formbook",
"Win.trojan.vundo-7170412-0",
"Win.trojan.starter-171",
"Win.exploit.rozena-10038302-0",
"Trojandropper:win32/vb.il",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Win.trojan.emotet-9850453-0",
"Exploit:linux/cve-2017-17215",
"Virtool:msil/obfuscator.bv",
"Adware.opencandy",
"Nemucod",
"Hacktool:win32/cobaltstrike.a",
"Babulya/collectorstealer user-agent",
"Alf:heraklezeval:trojan:win32/agenttesla!rfn",
"Win32:mystic",
"Win.trojan.generic-9878032-0",
"Win.malware.pits-10035540-0",
"Hacktool",
"Emotet",
"Qbot",
"Pws:msil/dcstl.gd!mtb",
"Win.trojan.barys-10005825-0",
"Generic",
"#lowfi:suspicioussectionname",
"Malware",
"Ransom:win32/genasom",
"Pws:win32/zbot.ms!mtb",
"Qakbot",
"Azorult",
"Win.trojan.poetrat-7669676-0",
"Installcore",
"Trojan:win32/qqpass",
"Win32:malwarex-gen\\ [trj]",
"Apnic",
"Sakula",
"Worm:win32/autorun",
"Win.malware.generic-9820446-0",
"Trojan:win32/antavmu.d",
"Trojan:win32/zombie",
"Win.ransomware.msilzilla-10014498-0",
"Win.malware.urelas-9863836-0",
"Worm:win32/autorun!atmn",
"Backdoor:win32/berbew.aa!mtb",
"Multiple malware\u2019s , trojans and rats",
"!#hstr:win32/spectorsoft",
"Alf:heraklezeval:trojan:msil/gravityrat!rfn",
"Muldrop",
"Alf:base64encodefunctionmonitorw",
"Zombie",
"Malvertizing",
"Gravityrat",
"Hallrender",
"Win32/ispen badnews fake user-agent",
"Pws:win32/qqpass.fc",
"Trojan:msil/agenttesla.dw!mtb",
"Tulach",
"Cobalt strike",
"Lumma stealer",
"Alf:win32/gbdinf_305b1c9a.j!ibt",
"185.199.108.133.malware_host",
"Sabey",
"Worm:win32/mofksys.rnd!mtb",
"Alf:trojan:msil/agenttesla.km"
],
"industries": [
"Government",
"Civil society",
"Telecommunications",
"Technology"
],
"unique_indicators": 139970
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/irrigationsystem.uz",
"whois": "http://whois.domaintools.com/irrigationsystem.uz",
"domain": "irrigationsystem.uz",
"hostname": "uzgenom.irrigationsystem.uz"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 18,
"pulses": [
{
"id": "69a3c685d4b7c139ffe62930",
"name": "Clone Pulse Reference",
"description": "",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-03-01T04:54:29.384000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6906bd99cadbd4140014c6af",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 454,
"hostname": 1404,
"URL": 3557,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1,
"CVE": 1
},
"indicator_count": 6754,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690a2c38de1708af54217faa",
"name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals",
"description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns",
"modified": "2025-12-04T15:01:02.531000",
"created": "2025-11-04T16:39:20.035000",
"tags": [
"present aug",
"moved",
"encrypt",
"present jul",
"passive dns",
"ipv4 add",
"reverse dns",
"united states",
"present may",
"ip address",
"gmt content",
"ipv4",
"all ipv4",
"america",
"united",
"present oct",
"name servers",
"redacted for",
"emails",
"for privacy",
"unknown ns",
"unknown aaaa",
"dynamicloader",
"focus region",
"unicode text",
"utf16",
"ms windows",
"bokeh onlycanon",
"zeiss jena",
"mcsonnar",
"high",
"win64",
"stream",
"write",
"smartassembly",
"trailer",
"next",
"search",
"medium",
"as15169",
"write c",
"reads",
"team",
"malware",
"local",
"yara detections",
"delphi",
"strings",
"dcom",
"form",
"trojandropper",
"mtb nov",
"backdoor",
"otx telemetry",
"trojan",
"type",
"data upload",
"extraction",
"ol rop",
"hash avast",
"avg clamav",
"msdefender nov",
"win32upatre nov",
"win32berbew nov",
"dynamic",
"pe section",
"error",
"close",
"status",
"urls",
"expiration date",
"hostname",
"url analysis",
"yara rule",
"show",
"binary file",
"wine emulator",
"mtb oct",
"files",
"denmark asn",
"as32934",
"candyopen",
"possible",
"smoke loader",
"trojanspy",
"filehash",
"pulses otx",
"related tags",
"file type",
"no analysis",
"available",
"api key",
"screenshots",
"present nov",
"aaaa",
"mtb may",
"mexico",
"hostname add",
"registrar",
"domain add",
"location united",
"email add",
"none related",
"domains",
"email domain",
"service",
"domain",
"america flag",
"body",
"title",
"aws dns",
"next associated",
"risepro",
"guard",
"v full",
"reports v",
"t1059 shared",
"modules",
"t1129 system",
"t1569",
"help v",
"t1179 boot",
"logon autost",
"encoding",
"packing f0001",
"hidden files",
"e1203 windows",
"file attributes",
"registry value",
"catalog tree",
"analysis ob0001",
"evasion b0003",
"virtual machine",
"ip traffic",
"memory pattern",
"pattern urls",
"tls sni",
"get https",
"post https",
"named pipe",
"delete c",
"radar",
"defender",
"format",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"country",
"contacted hosts",
"process details",
"flag",
"globalc",
"intel",
"win32",
"worm",
"path",
"explorer",
"script",
"href",
"external",
"html content",
"tulach",
"hallrender",
"tam legal",
"brian sabey",
"christopher ahmann",
"apple",
"msie",
"chrome",
"ascio",
"creation date",
"date",
"germany unknown",
"germany asn",
"files ip",
"address",
"asn as24940",
"less",
"script urls",
"a domains",
"prox",
"dennis schrder",
"meta",
"apache",
"99u25f.exe",
"entries",
"as24940 hetzner",
"dns resolutions",
"status code",
"body length",
"kb body",
"software/ hardware",
"external-resources",
"password-input",
"overview",
"colorado"
],
"references": [
"https://shift.gearboxsoftware.com/link",
"https://tulach.cc/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com",
"x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe",
"https://www.turbo.net/run/videolan/vlc",
"http://www.forensickb.com/2013/03/file-entropy-explained.html",
"https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/",
"Overview \"Keeping money\" by the Colorado workers' compensation system can refer to",
"legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal",
"counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ."
],
"public": 1,
"adversary": "Colorado Quasi Government | Workerk Compensation",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9878032-0",
"display_name": "Win.Trojan.Generic-9878032-0",
"target": null
},
{
"id": "Win.Trojan.Starter-171",
"display_name": "Win.Trojan.Starter-171",
"target": null
},
{
"id": "GravityRAT",
"display_name": "GravityRAT",
"target": null
},
{
"id": "Backdoor:Win32/Berbew.AA!MTB",
"display_name": "Backdoor:Win32/Berbew.AA!MTB",
"target": "/malware/Backdoor:Win32/Berbew.AA!MTB"
},
{
"id": "Trojan:MSIL/AgentTesla.DW!MTB",
"display_name": "Trojan:MSIL/AgentTesla.DW!MTB",
"target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "Nemucod",
"display_name": "Nemucod",
"target": null
},
{
"id": "Berbew",
"display_name": "Berbew",
"target": null
},
{
"id": "PWS:Win32/Zbot.MS!MTB",
"display_name": "PWS:Win32/Zbot.MS!MTB",
"target": "/malware/PWS:Win32/Zbot.MS!MTB"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Exploit.Rozena-10038302-0",
"display_name": "Win.Exploit.Rozena-10038302-0",
"target": null
},
{
"id": "Zombie",
"display_name": "Zombie",
"target": null
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Muldrop",
"display_name": "Muldrop",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Dorv",
"display_name": "Dorv",
"target": null
},
{
"id": "Win.Malware.Pits-10035540-0",
"display_name": "Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "Exploit:Linux/CVE-2017-17215",
"display_name": "Exploit:Linux/CVE-2017-17215",
"target": "/malware/Exploit:Linux/CVE-2017-17215"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2022-26134",
"display_name": "CVE-2022-26134",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1569",
"name": "System Services",
"display_name": "T1569 - System Services"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6051,
"hostname": 2627,
"FileHash-MD5": 401,
"FileHash-SHA1": 257,
"email": 11,
"domain": 1838,
"FileHash-SHA256": 1742,
"CVE": 4,
"SSLCertFingerprint": 3
},
"indicator_count": 12934,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "136 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6906bd99cadbd4140014c6af",
"name": "Espionage - Gravity RAT + | Legal entities are State owned. Attacking severely injured PT\u2019s SA victim.",
"description": "Fastly CDN for Palantir (Verizon) unless updated. Very malicious IoC\u2019s found evaluating IoC\u2019 from Christopher Ahmann - TAM Legal link.\n- Made contact with victim several times.\n- Illegal contact made with attorneys considering representing Tsara. \n- https://unicef.se/assets/apple - link related to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage.\n\nAhmann is named as special counsel but he , like Brian Sabey are \u2018ONLY\u2019 cyber attacking Tsara Brashears.\n\n- protecting Jeffrey Reimer DPT, multiple doctors, Concentra, blocked and denied care , hired a hitman/men and it would have. Even cheaper to pay her for the injuries she never sought compensation for due to aggressive attacks and threats.",
"modified": "2025-12-02T01:05:30.331000",
"created": "2025-11-02T02:10:33.546000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 449,
"hostname": 1403,
"URL": 3552,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1
},
"indicator_count": 6742,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69069167e1e2a222bd7762f2",
"name": "Palantir - Spyware",
"description": "",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-11-01T23:01:59.339000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": "68f9a1ef2dd26ec62a3c298c",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 57,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9a6f4e35193c04401daaf",
"name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians",
"description": "",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-10-23T03:54:28.671000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": "68f9a1ef2dd26ec62a3c298c",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9a1ef2dd26ec62a3c298c",
"name": "Listeners - Malicious Over the top espionage | Cyber Warfare?",
"description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-10-23T03:33:03.315000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 180,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6888a85aa32aab22f638d0e6",
"name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]",
"description": "",
"modified": "2025-07-29T10:54:18.501000",
"created": "2025-07-29T10:54:18.501000",
"tags": [
"healthy check",
"ssl bypass",
"domain tracker",
"privacy badger",
"startpage",
"w11 pc",
"pass",
"iocs",
"all scoreblue",
"pdf report",
"pcap",
"stix",
"avast avg",
"no expiration",
"status",
"name servers",
"moved",
"h1 center",
"next",
"sec ch",
"ch ua",
"ua platform",
"emails",
"certificate",
"passive dns",
"urls",
"encrypt",
"body",
"pe32 executable",
"ms windows",
"intel",
"windows control",
"panel item",
"dos borland",
"executable",
"algorithm",
"thumbprint",
"serial number",
"signing ca",
"symantec time",
"stamping",
"g2 name",
"g2 issuer",
"class",
"code",
"kb pe",
"csc corporate",
"porkbun llc",
"gandi sas",
"request",
"path",
"get https",
"get http",
"response",
"cachecontrol",
"pragma",
"connection",
"gmt connection",
"accept",
"slug",
"as29789",
"united",
"unknown",
"ransom",
"heur",
"server",
"registrar abuse",
"san rafael",
"autodesk",
"contact phone",
"registrar url",
"process32nextw",
"create c",
"read c",
"writeconsolew",
"delete",
"write",
"show",
"malware",
"write c",
"regsetvalueexa",
"delete c",
"search",
"regdword",
"whitelisted",
"panda banker",
"ursnif",
"win32",
"persistence",
"execution",
"banker",
"local",
"domain",
"servers",
"pulse pulses",
"files",
"ip address",
"creation date",
"united kingdom",
"as9009 m247",
"ipv4",
"pulse submit",
"url analysis",
"twitter",
"as16552 tiggee",
"as397241",
"as397240",
"entries",
"cname",
"nxdomain",
"a nxdomain",
"worm",
"file samples",
"files matching",
"alf features",
"denver co",
"wewatta",
"scan endpoints",
"related pulses",
"date hash",
"showing",
"as62597 nsone",
"date",
"trojanspy",
"cookie",
"hostmaster",
"expiration date",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tls handshake",
"et info",
"getdc0x2a",
"failure",
"post http",
"copy",
"crash",
"ascii text",
"ascii",
"jpeg image",
"artemis",
"trojan",
"virustotal",
"mike",
"vipre",
"panda",
"win32mediadrug",
"win324shared",
"win32spigot",
"hstr",
"lowfi",
"yara detections",
"contacted",
"report spam",
"mozilla",
"trojanclicker",
"url http",
"url https",
"role title",
"added active",
"type indicator",
"source domain",
"akamai rank",
"hostname",
"ver2",
"msclkidn",
"vids0",
"global outage",
"cobalt strike",
"fancy bear",
"communications",
"android device",
"cnc beacon",
"suspicious ua",
"youtube",
"sakula rat",
"mivast",
"sakula",
"windows",
"samuel tulach",
"light dark",
"samuel",
"tulach",
"hyperv",
"detecting",
"writing gui",
"bootkits",
"world",
"information",
"discovery",
"t1027",
"t1057",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1129",
"capture",
"service",
"t1119"
],
"references": [
"autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.",
"66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com",
"keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |",
"Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21",
"IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection",
"Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c",
"IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure",
"Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy",
"RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,",
"RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386",
"Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com",
"Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |",
"Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com",
"Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com",
"Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |",
"Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com",
"Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned",
"Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606",
"Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com",
"Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png",
"Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257",
"Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world",
"Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot",
"The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse",
"Above links in search results direct out with and arrow pointing out.",
"https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente",
"Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.",
"I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,",
"boot.net.anydesk.com removed from my Pulse below",
"https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "Win32:Mystic",
"display_name": "Win32:Mystic",
"target": null
},
{
"id": "Win.Trojan.Xblocker-236",
"display_name": "Win.Trojan.Xblocker-236",
"target": null
},
{
"id": "Ransom:Win32/Genasom",
"display_name": "Ransom:Win32/Genasom",
"target": "/malware/Ransom:Win32/Genasom"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "ALF:JASYP:Backdoor:Win32/Cycbot",
"display_name": "ALF:JASYP:Backdoor:Win32/Cycbot",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TrojanSpy:Win32/Usteal",
"display_name": "TrojanSpy:Win32/Usteal",
"target": "/malware/TrojanSpy:Win32/Usteal"
},
{
"id": "Win.Trojan.PoetRat-7669676-0",
"display_name": "Win.Trojan.PoetRat-7669676-0",
"target": null
},
{
"id": "Mivast",
"display_name": "Mivast",
"target": null
},
{
"id": "Sakula",
"display_name": "Sakula",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "66d89c45ddc0c7db084b75b7",
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1417,
"FileHash-SHA1": 1165,
"FileHash-SHA256": 6536,
"URL": 6112,
"domain": 1340,
"hostname": 2654,
"email": 15,
"SSLCertFingerprint": 9
},
"indicator_count": 19248,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "264 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66d89c45ddc0c7db084b75b7",
"name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed",
"description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.",
"modified": "2024-10-04T17:02:07.067000",
"created": "2024-09-04T17:43:33.123000",
"tags": [
"healthy check",
"ssl bypass",
"domain tracker",
"privacy badger",
"startpage",
"w11 pc",
"pass",
"iocs",
"all scoreblue",
"pdf report",
"pcap",
"stix",
"avast avg",
"no expiration",
"status",
"name servers",
"moved",
"h1 center",
"next",
"sec ch",
"ch ua",
"ua platform",
"emails",
"certificate",
"passive dns",
"urls",
"encrypt",
"body",
"pe32 executable",
"ms windows",
"intel",
"windows control",
"panel item",
"dos borland",
"executable",
"algorithm",
"thumbprint",
"serial number",
"signing ca",
"symantec time",
"stamping",
"g2 name",
"g2 issuer",
"class",
"code",
"kb pe",
"csc corporate",
"porkbun llc",
"gandi sas",
"request",
"path",
"get https",
"get http",
"response",
"cachecontrol",
"pragma",
"connection",
"gmt connection",
"accept",
"slug",
"as29789",
"united",
"unknown",
"ransom",
"heur",
"server",
"registrar abuse",
"san rafael",
"autodesk",
"contact phone",
"registrar url",
"process32nextw",
"create c",
"read c",
"writeconsolew",
"delete",
"write",
"show",
"malware",
"write c",
"regsetvalueexa",
"delete c",
"search",
"regdword",
"whitelisted",
"panda banker",
"ursnif",
"win32",
"persistence",
"execution",
"banker",
"local",
"domain",
"servers",
"pulse pulses",
"files",
"ip address",
"creation date",
"united kingdom",
"as9009 m247",
"ipv4",
"pulse submit",
"url analysis",
"twitter",
"as16552 tiggee",
"as397241",
"as397240",
"entries",
"cname",
"nxdomain",
"a nxdomain",
"worm",
"file samples",
"files matching",
"alf features",
"denver co",
"wewatta",
"scan endpoints",
"related pulses",
"date hash",
"showing",
"as62597 nsone",
"date",
"trojanspy",
"cookie",
"hostmaster",
"expiration date",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tls handshake",
"et info",
"getdc0x2a",
"failure",
"post http",
"copy",
"crash",
"ascii text",
"ascii",
"jpeg image",
"artemis",
"trojan",
"virustotal",
"mike",
"vipre",
"panda",
"win32mediadrug",
"win324shared",
"win32spigot",
"hstr",
"lowfi",
"yara detections",
"contacted",
"report spam",
"mozilla",
"trojanclicker",
"url http",
"url https",
"role title",
"added active",
"type indicator",
"source domain",
"akamai rank",
"hostname",
"ver2",
"msclkidn",
"vids0",
"global outage",
"cobalt strike",
"fancy bear",
"communications",
"android device",
"cnc beacon",
"suspicious ua",
"youtube",
"sakula rat",
"mivast",
"sakula",
"windows",
"samuel tulach",
"light dark",
"samuel",
"tulach",
"hyperv",
"detecting",
"writing gui",
"bootkits",
"world",
"information",
"discovery",
"t1027",
"t1057",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1129",
"capture",
"service",
"t1119"
],
"references": [
"autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.",
"66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com",
"keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |",
"Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21",
"IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection",
"Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c",
"IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure",
"Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy",
"RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,",
"RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386",
"Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com",
"Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |",
"Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |",
"Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com",
"Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com",
"Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |",
"Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com",
"Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned",
"Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606",
"Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey",
"Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com",
"Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png",
"Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257",
"Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world",
"Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot",
"The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse",
"Above links in search results direct out with and arrow pointing out.",
"https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente",
"Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.",
"I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,",
"boot.net.anydesk.com removed from my Pulse below",
"https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "Win32:Mystic",
"display_name": "Win32:Mystic",
"target": null
},
{
"id": "Win.Trojan.Xblocker-236",
"display_name": "Win.Trojan.Xblocker-236",
"target": null
},
{
"id": "Ransom:Win32/Genasom",
"display_name": "Ransom:Win32/Genasom",
"target": "/malware/Ransom:Win32/Genasom"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "ALF:JASYP:Backdoor:Win32/Cycbot",
"display_name": "ALF:JASYP:Backdoor:Win32/Cycbot",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TrojanSpy:Win32/Usteal",
"display_name": "TrojanSpy:Win32/Usteal",
"target": "/malware/TrojanSpy:Win32/Usteal"
},
{
"id": "Win.Trojan.PoetRat-7669676-0",
"display_name": "Win.Trojan.PoetRat-7669676-0",
"target": null
},
{
"id": "Mivast",
"display_name": "Mivast",
"target": null
},
{
"id": "Sakula",
"display_name": "Sakula",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1417,
"FileHash-SHA1": 1165,
"FileHash-SHA256": 6536,
"URL": 6112,
"domain": 1340,
"hostname": 2654,
"email": 15,
"SSLCertFingerprint": 9
},
"indicator_count": 19248,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "562 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://uzgenom.irrigationsystem.uz",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://uzgenom.irrigationsystem.uz",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776619906.1892295
}