{
"type": "URL",
"indicator": "https://wallet.pagsmile.com/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://wallet.pagsmile.com/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4077343195,
"indicator": "https://wallet.pagsmile.com/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 12,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6923408464566e39caf32285",
"name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)",
"description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00",
"modified": "2025-12-23T16:04:54.329000",
"created": "2025-11-23T17:12:36.917000",
"tags": [
"no expiration",
"expiration",
"url https",
"url http",
"filehashsha256",
"hostname",
"domain",
"filehashmd5",
"filehashsha1",
"ipv4",
"code",
"pool",
"timothy pool",
"z3je z3uwq7",
"creation date",
"ip address",
"emails",
"expiration date",
"status",
"hostname add",
"pulse pulses",
"passive dns",
"urls",
"date"
],
"references": [
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"www.techcult.com",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"Yara: Detections ConventionEngine_Term_Users",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"Yara : MS_Visual_Basic_6_0 ,",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"Alerts: mouse_movement_detect",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"Foundry stalking."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDropper:Win32/VB.IL0",
"display_name": "TrojanDropper:Win32/VB.IL0",
"target": "/malware/TrojanDropper:Win32/VB.IL0"
},
{
"id": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1443",
"name": "Remotely Install Application",
"display_name": "T1443 - Remotely Install Application"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 773,
"FileHash-SHA1": 684,
"FileHash-SHA256": 1910,
"CVE": 2,
"SSLCertFingerprint": 4,
"URL": 3783,
"domain": 878,
"email": 7,
"hostname": 1913
},
"indicator_count": 9954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "117 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c62306c74c7f57dc993d13",
"name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
"description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
"modified": "2025-10-14T01:04:58.605000",
"created": "2025-09-14T02:05:58.793000",
"tags": [
"denver",
"jeffrey reimer",
"star rating",
"appointment",
"post",
"response are",
"listened",
"wait",
"reimer",
"healthgrades",
"reply flag",
"doctors",
"find",
"jeff",
"back",
"aurora",
"leave",
"crying",
"tips",
"tags na",
"utc scorecard",
"research beacon",
"utc yahoo",
"dot tags",
"united",
"mozilla",
"write c",
"nsisinetc",
"undetermined",
"medium",
"intel",
"ms windows",
"write",
"trojan",
"defender",
"delphi",
"win32",
"malware",
"win64",
"local",
"next",
"code overlap",
"dynamicloader",
"as15169",
"brazil as28604",
"brazil as396982",
"upatre",
"passive dns",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"body",
"script script",
"powder sdk",
"a domains",
"title",
"script",
"certificate",
"hostname add",
"pulse submit",
"meta",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"signing defense",
"flag",
"whois privacy",
"service name",
"server",
"contacted hosts",
"ip address",
"process details",
"size",
"div id",
"beginstring",
"beginerror",
"null",
"error",
"strings",
"refresh",
"tools",
"onload",
"click",
"span",
"remote access"
],
"references": [
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"CodeOverlap | All malware listed exists",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"All #tags auto populated.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"target": null
},
{
"id": "Win.Malware.Tfuvtcog-7194372-0",
"display_name": "Win.Malware.Tfuvtcog-7194372-0",
"target": null
},
{
"id": "Trojan.Win32.Fakemalard",
"display_name": "Trojan.Win32.Fakemalard",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Trojan.Win32.Banload",
"display_name": "Trojan.Win32.Banload",
"target": null
},
{
"id": "Formbook",
"display_name": "Formbook",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Medical",
"Media",
"Government."
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 609,
"URL": 1550,
"domain": 280,
"FileHash-SHA256": 1428,
"FileHash-MD5": 133,
"FileHash-SHA1": 115,
"SSLCertFingerprint": 4
},
"indicator_count": 4119,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c62316b24b23e6d4c579ef",
"name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
"description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
"modified": "2025-10-14T01:04:58.605000",
"created": "2025-09-14T02:06:14.853000",
"tags": [
"denver",
"jeffrey reimer",
"star rating",
"appointment",
"post",
"response are",
"listened",
"wait",
"reimer",
"healthgrades",
"reply flag",
"doctors",
"find",
"jeff",
"back",
"aurora",
"leave",
"crying",
"tips",
"tags na",
"utc scorecard",
"research beacon",
"utc yahoo",
"dot tags",
"united",
"mozilla",
"write c",
"nsisinetc",
"undetermined",
"medium",
"intel",
"ms windows",
"write",
"trojan",
"defender",
"delphi",
"win32",
"malware",
"win64",
"local",
"next",
"code overlap",
"dynamicloader",
"as15169",
"brazil as28604",
"brazil as396982",
"upatre",
"passive dns",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"body",
"script script",
"powder sdk",
"a domains",
"title",
"script",
"certificate",
"hostname add",
"pulse submit",
"meta",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"signing defense",
"flag",
"whois privacy",
"service name",
"server",
"contacted hosts",
"ip address",
"process details",
"size",
"div id",
"beginstring",
"beginerror",
"null",
"error",
"strings",
"refresh",
"tools",
"onload",
"click",
"span",
"remote access"
],
"references": [
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"CodeOverlap | All malware listed exists",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"All #tags auto populated.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"target": null
},
{
"id": "Win.Malware.Tfuvtcog-7194372-0",
"display_name": "Win.Malware.Tfuvtcog-7194372-0",
"target": null
},
{
"id": "Trojan.Win32.Fakemalard",
"display_name": "Trojan.Win32.Fakemalard",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Trojan.Win32.Banload",
"display_name": "Trojan.Win32.Banload",
"target": null
},
{
"id": "Formbook",
"display_name": "Formbook",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Too much to search for",
"display_name": "Too much to search for",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Medical",
"Media",
"Government."
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 609,
"URL": 1550,
"domain": 280,
"FileHash-SHA256": 1428,
"FileHash-MD5": 133,
"FileHash-SHA1": 115,
"SSLCertFingerprint": 4
},
"indicator_count": 4119,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ac1823eed9568e26950b98",
"name": "ELF: Mirai - Malicious media | sentient.industries | Palantir",
"description": "Malicious entity weaponizing AI and next level cyber attacks, targeting, hacking, espionage, tracking, bad traffic, botnet, honeypots, bots , ddos. \n\nIt\u2019s really easy to become a target. Protest a cause, become a victim of crime by someone protected by a major entity , incur a large loss insurance case or have a high profile potential lawsuit on and on\u2026 \n\nExcessive overreach, low accountability, no barrier to access, designed to be the cyber warfare weapon.\nIf this is a spoof and NOT Palantir which (but it is) still relentlessly , as malicious. You don\u2019t own your devices or privacy.\n\n#mustbestrangelyexitingtowatchthestoicsquirm",
"modified": "2025-09-24T07:05:04.439000",
"created": "2025-08-25T08:00:35.492000",
"tags": [
"sentientindustries",
"adult",
"pornography",
"targeting",
"content reputation",
"palantirfoundry",
"palantir",
"malicious media",
"tool",
"abuse",
"citizens",
"gay",
"united",
"cache control",
"access control",
"passive dns",
"ip address",
"body found",
"gmt content",
"express cache",
"accept",
"pragma",
"avast avg",
"mirai",
"games",
"aniporn",
"eporner",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"javascript",
"defense evasion",
"spawns",
"attrib",
"extid",
"fbid",
"creatortool",
"pattern match",
"date",
"path",
"august",
"hybrid",
"general",
"click",
"strings",
"bham",
"this",
"core",
"unknown aaaa",
"moved",
"unknown ns",
"body",
"h1 center",
"title",
"data upload",
"extraction",
"iocs",
"monitored target",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"span",
"possible",
"local",
"meta",
"roboto",
"supportscookie",
"spearphishing",
"initial access",
"ssl certificate",
"t1105",
"T1027.013 - Encrypted/Encoded File"
],
"references": [
"https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)",
"conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/",
"http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html",
"1-ai-chatbox-widget-2iv.pages.dev",
"FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839",
"Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)",
"Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]",
"https://hayageek.com/drag-and-drop-file-upload-jquery",
"https://hayageek.com/rsa-encryption-decryption-openssl-c/",
"https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/",
"https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]",
"https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045",
"T1027.013 - Encrypted/Encoded File"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "PornBlackmailer",
"display_name": "PornBlackmailer",
"target": null
},
{
"id": "Win32/PornTool",
"display_name": "Win32/PornTool",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6748839",
"display_name": "Unix.Trojan.Gafgyt-6748839",
"target": null
},
{
"id": "supportsCookie",
"display_name": "supportsCookie",
"target": null
}
],
"attack_ids": [
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1608.005",
"name": "Link Target",
"display_name": "T1608.005 - Link Target"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1532",
"name": "Data Encrypted",
"display_name": "T1532 - Data Encrypted"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian Society",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 966,
"domain": 222,
"hostname": 272,
"FileHash-MD5": 78,
"FileHash-SHA1": 84,
"FileHash-SHA256": 346,
"SSLCertFingerprint": 10
},
"indicator_count": 1978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68abf66e97031d0ff0c04fed",
"name": "Packed sentient.industries links to a targets business website",
"description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.",
"modified": "2025-09-24T04:04:05.604000",
"created": "2025-08-25T05:36:46.327000",
"tags": [
"moved",
"body",
"x cache",
"cloudfront x",
"cph50 c2",
"certificate",
"record value",
"title",
"h1 center",
"server",
"redacted for",
"servers",
"name redacted",
"for privacy",
"name servers",
"org data",
"privacy city",
"privacy country",
"ca creation",
"passive dns",
"urls",
"files",
"ip address",
"asn as57033",
"less whois",
"registrar",
"tucows domains",
"key identifier",
"data",
"v3 serial",
"number",
"cat ozerossl",
"cnzerossl ecc",
"domain secure",
"site ca",
"validity",
"subject public",
"extraction",
"data upload",
"extra data",
"include review",
"find",
"failed",
"typ no",
"ms windows",
"intel",
"pe32",
"united",
"search",
"as16509",
"from win32bios",
"show",
"high",
"medium",
"delphi",
"copy",
"write",
"launcher",
"next",
"present aug",
"present jul",
"lowfi",
"win32",
"a div",
"div div",
"learn xml",
"babylon",
"win64",
"trojan",
"colors",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"et info",
"tls handshake",
"bad traffic",
"failure",
"date",
"august",
"hybrid",
"general",
"path",
"starfield",
"click",
"strings",
"se bethseda",
"n bethseda",
"n data",
"error",
"date checked",
"url hostname",
"server response",
"google safe",
"results aug",
"read c",
"tlsv1",
"port",
"destination",
"module load",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"cname",
"aaaa",
"creation date",
"showing",
"domain",
"dga domains",
"palantirfoundry",
"foundry",
"status",
"unknown ns",
"g2 tls",
"rsa sha256",
"italy unknown",
"mtb may",
"trojandropper",
"invalid url",
"next associated",
"ddos",
"body html",
"hacktool",
"ipv4",
"url analysis",
"ukraine",
"encrypt",
"rl add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present jun",
"entries",
"title error",
"all ipv4",
"reverse dns",
"yara detections",
"top source",
"top destination",
"source source",
"sha256 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"canada unknown",
"content type",
"javascript src",
"script script",
"x powered",
"ipv4 add",
"pulse submit",
"submit url",
"analysis",
"url add",
"related nids",
"files location",
"canada flag",
"canada hostname",
"unknown aaaa",
"ascii text",
"user agent",
"powershell",
"agent",
"czechia unknown",
"domain add",
"dynamicloader",
"hostname add",
"pentagon",
"defense"
],
"references": [
"sentient.industries affects independent artists. Affects several others.",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"(Can't access file- Malware infection files)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"Remotewd.com devices",
"If you find anything interesting please research it."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "nUFS_inno",
"display_name": "nUFS_inno",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious",
"display_name": "#Lowfi:HSTR:MSIL/Malicious",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/Bibado",
"display_name": "ALF:JASYP:PUA:Win32/Bibado",
"target": null
},
{
"id": "Trojan:Win32/Toga",
"display_name": "Trojan:Win32/Toga",
"target": "/malware/Trojan:Win32/Toga"
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Win.Trojan.Jorik-149",
"display_name": "Win.Trojan.Jorik-149",
"target": null
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.Jorik-130",
"display_name": "Win.Trojan.Jorik-130",
"target": null
},
{
"id": "Win.Trojan.Fakecodecs-119",
"display_name": "Win.Trojan.Fakecodecs-119",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Bulz-9860169-0",
"display_name": "Win.Trojan.Bulz-9860169-0",
"target": null
},
{
"id": "Win.Malware.Midie-6847892-0",
"display_name": "Win.Malware.Midie-6847892-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win.Packed.Razy-9785185-0",
"display_name": "Win.Packed.Razy-9785185-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "PWS",
"display_name": "PWS",
"target": null
},
{
"id": "DDOS:Win32/Stormser.A",
"display_name": "DDOS:Win32/Stormser.A",
"target": "/malware/DDOS:Win32/Stormser.A"
},
{
"id": "ALF:HSTR:DotNET",
"display_name": "ALF:HSTR:DotNET",
"target": null
},
{
"id": "DotNET",
"display_name": "DotNET",
"target": null
},
{
"id": "Script Exploit",
"display_name": "Script Exploit",
"target": null
},
{
"id": "HackTool:Win32/AutoKMS",
"display_name": "HackTool:Win32/AutoKMS",
"target": "/malware/HackTool:Win32/AutoKMS"
},
{
"id": "Xanfpezes.A",
"display_name": "Xanfpezes.A",
"target": null
},
{
"id": "Trojan:Win32/Gandcrab",
"display_name": "Trojan:Win32/Gandcrab",
"target": "/malware/Trojan:Win32/Gandcrab"
},
{
"id": "Win.Trojan.Generic-9862772-0",
"display_name": "Win.Trojan.Generic-9862772-0",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBL!MTB",
"display_name": "Trojan:Win32/Zbot.SIBL!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBL!MTB"
},
{
"id": "Win32/Nemucod",
"display_name": "Win32/Nemucod",
"target": null
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"target": null
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Win.Malware.Kolab-9885903-0",
"display_name": "Win.Malware.Kolab-9885903-0",
"target": null
},
{
"id": "Win.Malware (30)",
"display_name": "Win.Malware (30)",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"target": null
},
{
"id": "E5",
"display_name": "E5",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 6232,
"URL": 24908,
"hostname": 7993,
"FileHash-SHA256": 11128,
"email": 6,
"FileHash-MD5": 1054,
"FileHash-SHA1": 932,
"SSLCertFingerprint": 14,
"CIDR": 3,
"CVE": 3
},
"indicator_count": 52273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893eee9bf1b30e08d1a6d8e",
"name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood",
"description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.",
"modified": "2025-09-05T23:02:52.811000",
"created": "2025-08-07T00:10:17.696000",
"tags": [
"address google",
"safe browsing",
"united",
"typeof",
"passive dns",
"body doctype",
"nreum",
"date",
"gmt server",
"apache x",
"cnection",
"content type",
"span",
"ok transfer",
"encoding",
"x powered",
"unknown soa",
"unknown ns",
"showing",
"entries",
"next associated",
"urls show",
"body",
"encrypt",
"search",
"ip address",
"creation date",
"record value",
"present jul",
"present may",
"present apr",
"certificate",
"present aug",
"present feb",
"present dec",
"present nov",
"error",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"pattern match",
"ascii text",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"itre att",
"accept",
"sha256",
"size",
"type data",
"utf8 text",
"document file",
"flag",
"server",
"european union",
"name server",
"tor analysis",
"dns requests",
"domain address",
"ii llc",
"windir",
"openurl c",
"prefetch2",
"show process",
"ogoogle trust",
"network traffic",
"organization",
"elton avundano",
"object",
"title object",
"header http2",
"returnurl",
"texas",
"rsa ov",
"ssl ca",
"status",
"australia",
"netherlands",
"urls",
"gmt path",
"hostname add",
"pulse submit",
"present oct",
"e safe",
"results jul",
"response ip",
"present jan",
"name servers",
"verdict",
"domain",
"files ip",
"address domain",
"xhr start",
"xhr load",
"aaaa",
"read c",
"show",
"port",
"destination",
"high",
"delete",
"outbound m3",
"copy",
"write",
"persistence",
"execution",
"malware",
"generic",
"unknown",
"present mar",
"dynamicloader",
"wine emulator",
"dynamic",
"medium",
"read",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"dnssec",
"domain name",
"solutions",
"llc status",
"next passive",
"dns status",
"hostname query",
"files show",
"date hash",
"avast avg",
"overview ip",
"address",
"related nids",
"files location",
"flag united",
"hostname",
"files domain",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"virtool",
"win64",
"defense evasion",
"t1480 execution",
"file defense",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"file discovery",
"utf8",
"crlf line",
"a domains",
"script urls",
"link",
"unknown aaaa",
"meta",
"atom",
"results jan",
"present",
"present sep",
"akamai",
"asn as16625",
"less whois",
"registrar",
"http",
"france flag",
"france hostname",
"files related",
"url analysis",
"files",
"location france",
"detailed error",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"moved",
"name",
"perfect privacy",
"error jul",
"next related",
"domains show",
"domain related",
"url add",
"pulse pulses",
"hosting",
"reverse dns",
"france asn",
"as16276",
"dns resolutions",
"datacenter",
"regopenkeyexa",
"regsetvalueexa",
"windows nt",
"regdword",
"hostile",
"service",
"delphi",
"next",
"pulses none",
"related tags",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"review",
"data upload",
"extraction",
"khtml",
"gecko",
"olet",
"cnlet",
"tlsv1",
"hacktool",
"push",
"ms windows",
"intel",
"pe32",
"users",
"precreate read",
"ransom",
"code",
"installer",
"june",
"media",
"autorun",
"next yara",
"detections name",
"aspackv2xxx",
"eu alexey",
"alerts",
"pe file",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"april",
"packing t1045",
"t1045",
"t1060",
"registry run",
"keys",
"user execution",
"icmp traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"URL": 6245,
"hostname": 2264,
"FileHash-SHA256": 1857,
"FileHash-SHA1": 491,
"email": 9,
"FileHash-MD5": 573,
"SSLCertFingerprint": 16
},
"indicator_count": 12587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686cb765dc6737fd1e882630",
"name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack",
"description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal",
"modified": "2025-08-07T05:01:52.697000",
"created": "2025-07-08T06:15:01.296000",
"tags": [
"no expiration",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"iocs",
"review iocs",
"pulse show",
"search",
"type indicator",
"role title",
"expiration",
"url http",
"url https",
"text drag",
"drop or",
"enter source",
"url or",
"hostname",
"ipv4",
"related pulses",
"showing",
"entries",
"drop",
"domain",
"enter",
"extract",
"browse to",
"domain xn",
"select file",
"pdf report",
"pcap",
"stix",
"openioc",
"indicator role",
"pulses url"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 840,
"FileHash-SHA1": 725,
"FileHash-SHA256": 863,
"URL": 1663,
"SSLCertFingerprint": 17,
"domain": 520,
"hostname": 734,
"email": 11
},
"indicator_count": 5373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "256 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686cb7673e4d5a0067758fd7",
"name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack",
"description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal",
"modified": "2025-08-07T05:01:52.697000",
"created": "2025-07-08T06:15:03.501000",
"tags": [
"no expiration",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"iocs",
"review iocs",
"pulse show",
"search",
"type indicator",
"role title",
"expiration",
"url http",
"url https",
"text drag",
"drop or",
"enter source",
"url or",
"hostname",
"ipv4",
"related pulses",
"showing",
"entries",
"drop",
"domain",
"enter",
"extract",
"browse to",
"domain xn",
"select file",
"pdf report",
"pcap",
"stix",
"openioc",
"indicator role",
"pulses url"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 840,
"FileHash-SHA1": 725,
"FileHash-SHA256": 863,
"URL": 1663,
"SSLCertFingerprint": 17,
"domain": 520,
"hostname": 734,
"email": 11
},
"indicator_count": 5373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "256 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "276 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186983a4dd00c2b45b255",
"name": "Source:\thttps://cloud.samsara.com/o/79639/flee",
"description": "",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:15:36.505000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "685186035e5fb63846d29e45",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "276 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://hayageek.com/rsa-encryption-decryption-openssl-c/",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Yara: Detections ConventionEngine_Term_Users",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"If you find anything interesting please research it.",
"https://es.pornhat.com/models/the-sex-creator/",
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"1-ai-chatbox-widget-2iv.pages.dev",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"T1027.013 - Encrypted/Encoded File",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"blog.manpowergroup.com.py (aww like dadvocates)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"(Can't access file- Malware infection files)",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"Yara : MS_Visual_Basic_6_0 ,",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"All #tags auto populated.",
"www.techcult.com",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"There is fear in silence or speaking out",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"CodeOverlap | All malware listed exists",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"iamrobert.com Y.A.S.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"https://meumundogay-com.sexogratis.page/locker",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Can the DoD no questions asked target a SA victim",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"Alerts: mouse_movement_detect",
"https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)",
"If someone is believed to be a threat they have right to due process.",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"Foundry stalking.",
"FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839",
"Remotewd.com devices",
"Target agreed and complied with all lie detector measures.",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)",
"sentient.industries affects independent artists. Affects several others.",
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"I am very upset. Whoever is doing this is sick.",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"https://hayageek.com/drag-and-drop-file-upload-jquery"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Custom malware",
"Win.trojan.jorik-149",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"Win32/porntool",
"Unix.trojan.gafgyt-6748839",
"#lowfidetectsvmware",
"Trojan:win32/blihan.a",
"Trojan:win32/glupteba.mt!mtb",
"Ransom",
"Alf:heraklezeval:trojandownloader:html/adodb!rfn",
"Hacktool:win32/autokms",
"Win.malware (30)",
"#lowfi:hstr:msil/malicious",
"Trojan:win32/zbot.sibl!mtb",
"Xanfpezes.a",
"Trojan:win32/zombie.a",
"Nufs_inno",
"Alf:hstr:dotnet",
"Script exploit",
"Supportscookie",
"#lowfi:aggregator:hasknownadwaredomain_nsisbundler.",
"Alf:trojan:win32/cassini_56a3061!ibt",
"Win.malware.tfuvtcog-7194372-0",
"Alf:jasyp:pua:win32/bibado",
"Win.trojan.bulz-9860169-0",
"Mirai",
"Mydoom",
"Dotnet",
"Win.trojan.generic-9862772-0",
"Win.packed.razy-9785185-0",
"#lowfi:hstr:msil/malicious.decryption",
"Ddos:win32/stormser.a",
"Trojan:win32/gandcrab",
"Win.downloader.109205-1",
"Pornblackmailer",
"Win.trojan.fakecodecs-119",
"Too much to search for",
"Win.ransomware.msilzilla-10014498-0",
"Win.malware.midie-6847892-0",
"Win32:downloader-gjk\\ [trj]",
"Apnic",
"Trojan.win32.fakemalard",
"Trojandropper:win32/vb.il0",
"Win32/nemucod",
"Win.trojan.jorik-130",
"Pws",
"#lowfienabledtcontinueafterunpacking",
"Formbook",
"Trojan:win32/toga",
"Code overlap",
"Win.malware.kolab-9885903-0",
"Trojandropper:win32/muldrop",
"Trojan.win32.banload",
"Elf:mirai-gh\\ [trj]",
"E5",
"Malware",
"Trojandropper:win32/muldrop.v!mtb"
],
"industries": [
"Media",
"Technology",
"Medical",
"Telecommunications",
"Government",
"Government.",
"Civilian society"
],
"unique_indicators": 111630
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/pagsmile.com",
"whois": "http://whois.domaintools.com/pagsmile.com",
"domain": "pagsmile.com",
"hostname": "wallet.pagsmile.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 12,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6923408464566e39caf32285",
"name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)",
"description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00",
"modified": "2025-12-23T16:04:54.329000",
"created": "2025-11-23T17:12:36.917000",
"tags": [
"no expiration",
"expiration",
"url https",
"url http",
"filehashsha256",
"hostname",
"domain",
"filehashmd5",
"filehashsha1",
"ipv4",
"code",
"pool",
"timothy pool",
"z3je z3uwq7",
"creation date",
"ip address",
"emails",
"expiration date",
"status",
"hostname add",
"pulse pulses",
"passive dns",
"urls",
"date"
],
"references": [
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"www.techcult.com",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"Yara: Detections ConventionEngine_Term_Users",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"Yara : MS_Visual_Basic_6_0 ,",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"Alerts: mouse_movement_detect",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"Foundry stalking."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDropper:Win32/VB.IL0",
"display_name": "TrojanDropper:Win32/VB.IL0",
"target": "/malware/TrojanDropper:Win32/VB.IL0"
},
{
"id": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1443",
"name": "Remotely Install Application",
"display_name": "T1443 - Remotely Install Application"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 773,
"FileHash-SHA1": 684,
"FileHash-SHA256": 1910,
"CVE": 2,
"SSLCertFingerprint": 4,
"URL": 3783,
"domain": 878,
"email": 7,
"hostname": 1913
},
"indicator_count": 9954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "117 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c62306c74c7f57dc993d13",
"name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
"description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
"modified": "2025-10-14T01:04:58.605000",
"created": "2025-09-14T02:05:58.793000",
"tags": [
"denver",
"jeffrey reimer",
"star rating",
"appointment",
"post",
"response are",
"listened",
"wait",
"reimer",
"healthgrades",
"reply flag",
"doctors",
"find",
"jeff",
"back",
"aurora",
"leave",
"crying",
"tips",
"tags na",
"utc scorecard",
"research beacon",
"utc yahoo",
"dot tags",
"united",
"mozilla",
"write c",
"nsisinetc",
"undetermined",
"medium",
"intel",
"ms windows",
"write",
"trojan",
"defender",
"delphi",
"win32",
"malware",
"win64",
"local",
"next",
"code overlap",
"dynamicloader",
"as15169",
"brazil as28604",
"brazil as396982",
"upatre",
"passive dns",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"body",
"script script",
"powder sdk",
"a domains",
"title",
"script",
"certificate",
"hostname add",
"pulse submit",
"meta",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"signing defense",
"flag",
"whois privacy",
"service name",
"server",
"contacted hosts",
"ip address",
"process details",
"size",
"div id",
"beginstring",
"beginerror",
"null",
"error",
"strings",
"refresh",
"tools",
"onload",
"click",
"span",
"remote access"
],
"references": [
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"CodeOverlap | All malware listed exists",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"All #tags auto populated.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"target": null
},
{
"id": "Win.Malware.Tfuvtcog-7194372-0",
"display_name": "Win.Malware.Tfuvtcog-7194372-0",
"target": null
},
{
"id": "Trojan.Win32.Fakemalard",
"display_name": "Trojan.Win32.Fakemalard",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Trojan.Win32.Banload",
"display_name": "Trojan.Win32.Banload",
"target": null
},
{
"id": "Formbook",
"display_name": "Formbook",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Medical",
"Media",
"Government."
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 609,
"URL": 1550,
"domain": 280,
"FileHash-SHA256": 1428,
"FileHash-MD5": 133,
"FileHash-SHA1": 115,
"SSLCertFingerprint": 4
},
"indicator_count": 4119,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c62316b24b23e6d4c579ef",
"name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
"description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
"modified": "2025-10-14T01:04:58.605000",
"created": "2025-09-14T02:06:14.853000",
"tags": [
"denver",
"jeffrey reimer",
"star rating",
"appointment",
"post",
"response are",
"listened",
"wait",
"reimer",
"healthgrades",
"reply flag",
"doctors",
"find",
"jeff",
"back",
"aurora",
"leave",
"crying",
"tips",
"tags na",
"utc scorecard",
"research beacon",
"utc yahoo",
"dot tags",
"united",
"mozilla",
"write c",
"nsisinetc",
"undetermined",
"medium",
"intel",
"ms windows",
"write",
"trojan",
"defender",
"delphi",
"win32",
"malware",
"win64",
"local",
"next",
"code overlap",
"dynamicloader",
"as15169",
"brazil as28604",
"brazil as396982",
"upatre",
"passive dns",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"body",
"script script",
"powder sdk",
"a domains",
"title",
"script",
"certificate",
"hostname add",
"pulse submit",
"meta",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"signing defense",
"flag",
"whois privacy",
"service name",
"server",
"contacted hosts",
"ip address",
"process details",
"size",
"div id",
"beginstring",
"beginerror",
"null",
"error",
"strings",
"refresh",
"tools",
"onload",
"click",
"span",
"remote access"
],
"references": [
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"CodeOverlap | All malware listed exists",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"All #tags auto populated.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"target": null
},
{
"id": "Win.Malware.Tfuvtcog-7194372-0",
"display_name": "Win.Malware.Tfuvtcog-7194372-0",
"target": null
},
{
"id": "Trojan.Win32.Fakemalard",
"display_name": "Trojan.Win32.Fakemalard",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Trojan.Win32.Banload",
"display_name": "Trojan.Win32.Banload",
"target": null
},
{
"id": "Formbook",
"display_name": "Formbook",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Too much to search for",
"display_name": "Too much to search for",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Medical",
"Media",
"Government."
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 609,
"URL": 1550,
"domain": 280,
"FileHash-SHA256": 1428,
"FileHash-MD5": 133,
"FileHash-SHA1": 115,
"SSLCertFingerprint": 4
},
"indicator_count": 4119,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ac1823eed9568e26950b98",
"name": "ELF: Mirai - Malicious media | sentient.industries | Palantir",
"description": "Malicious entity weaponizing AI and next level cyber attacks, targeting, hacking, espionage, tracking, bad traffic, botnet, honeypots, bots , ddos. \n\nIt\u2019s really easy to become a target. Protest a cause, become a victim of crime by someone protected by a major entity , incur a large loss insurance case or have a high profile potential lawsuit on and on\u2026 \n\nExcessive overreach, low accountability, no barrier to access, designed to be the cyber warfare weapon.\nIf this is a spoof and NOT Palantir which (but it is) still relentlessly , as malicious. You don\u2019t own your devices or privacy.\n\n#mustbestrangelyexitingtowatchthestoicsquirm",
"modified": "2025-09-24T07:05:04.439000",
"created": "2025-08-25T08:00:35.492000",
"tags": [
"sentientindustries",
"adult",
"pornography",
"targeting",
"content reputation",
"palantirfoundry",
"palantir",
"malicious media",
"tool",
"abuse",
"citizens",
"gay",
"united",
"cache control",
"access control",
"passive dns",
"ip address",
"body found",
"gmt content",
"express cache",
"accept",
"pragma",
"avast avg",
"mirai",
"games",
"aniporn",
"eporner",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"javascript",
"defense evasion",
"spawns",
"attrib",
"extid",
"fbid",
"creatortool",
"pattern match",
"date",
"path",
"august",
"hybrid",
"general",
"click",
"strings",
"bham",
"this",
"core",
"unknown aaaa",
"moved",
"unknown ns",
"body",
"h1 center",
"title",
"data upload",
"extraction",
"iocs",
"monitored target",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"span",
"possible",
"local",
"meta",
"roboto",
"supportscookie",
"spearphishing",
"initial access",
"ssl certificate",
"t1105",
"T1027.013 - Encrypted/Encoded File"
],
"references": [
"https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)",
"conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/",
"http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html",
"1-ai-chatbox-widget-2iv.pages.dev",
"FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839",
"Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)",
"Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]",
"https://hayageek.com/drag-and-drop-file-upload-jquery",
"https://hayageek.com/rsa-encryption-decryption-openssl-c/",
"https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/",
"https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]",
"https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045",
"T1027.013 - Encrypted/Encoded File"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "PornBlackmailer",
"display_name": "PornBlackmailer",
"target": null
},
{
"id": "Win32/PornTool",
"display_name": "Win32/PornTool",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6748839",
"display_name": "Unix.Trojan.Gafgyt-6748839",
"target": null
},
{
"id": "supportsCookie",
"display_name": "supportsCookie",
"target": null
}
],
"attack_ids": [
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1608.005",
"name": "Link Target",
"display_name": "T1608.005 - Link Target"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1532",
"name": "Data Encrypted",
"display_name": "T1532 - Data Encrypted"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian Society",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 966,
"domain": 222,
"hostname": 272,
"FileHash-MD5": 78,
"FileHash-SHA1": 84,
"FileHash-SHA256": 346,
"SSLCertFingerprint": 10
},
"indicator_count": 1978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68abf66e97031d0ff0c04fed",
"name": "Packed sentient.industries links to a targets business website",
"description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.",
"modified": "2025-09-24T04:04:05.604000",
"created": "2025-08-25T05:36:46.327000",
"tags": [
"moved",
"body",
"x cache",
"cloudfront x",
"cph50 c2",
"certificate",
"record value",
"title",
"h1 center",
"server",
"redacted for",
"servers",
"name redacted",
"for privacy",
"name servers",
"org data",
"privacy city",
"privacy country",
"ca creation",
"passive dns",
"urls",
"files",
"ip address",
"asn as57033",
"less whois",
"registrar",
"tucows domains",
"key identifier",
"data",
"v3 serial",
"number",
"cat ozerossl",
"cnzerossl ecc",
"domain secure",
"site ca",
"validity",
"subject public",
"extraction",
"data upload",
"extra data",
"include review",
"find",
"failed",
"typ no",
"ms windows",
"intel",
"pe32",
"united",
"search",
"as16509",
"from win32bios",
"show",
"high",
"medium",
"delphi",
"copy",
"write",
"launcher",
"next",
"present aug",
"present jul",
"lowfi",
"win32",
"a div",
"div div",
"learn xml",
"babylon",
"win64",
"trojan",
"colors",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"et info",
"tls handshake",
"bad traffic",
"failure",
"date",
"august",
"hybrid",
"general",
"path",
"starfield",
"click",
"strings",
"se bethseda",
"n bethseda",
"n data",
"error",
"date checked",
"url hostname",
"server response",
"google safe",
"results aug",
"read c",
"tlsv1",
"port",
"destination",
"module load",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"cname",
"aaaa",
"creation date",
"showing",
"domain",
"dga domains",
"palantirfoundry",
"foundry",
"status",
"unknown ns",
"g2 tls",
"rsa sha256",
"italy unknown",
"mtb may",
"trojandropper",
"invalid url",
"next associated",
"ddos",
"body html",
"hacktool",
"ipv4",
"url analysis",
"ukraine",
"encrypt",
"rl add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present jun",
"entries",
"title error",
"all ipv4",
"reverse dns",
"yara detections",
"top source",
"top destination",
"source source",
"sha256 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"canada unknown",
"content type",
"javascript src",
"script script",
"x powered",
"ipv4 add",
"pulse submit",
"submit url",
"analysis",
"url add",
"related nids",
"files location",
"canada flag",
"canada hostname",
"unknown aaaa",
"ascii text",
"user agent",
"powershell",
"agent",
"czechia unknown",
"domain add",
"dynamicloader",
"hostname add",
"pentagon",
"defense"
],
"references": [
"sentient.industries affects independent artists. Affects several others.",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"(Can't access file- Malware infection files)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"Remotewd.com devices",
"If you find anything interesting please research it."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "nUFS_inno",
"display_name": "nUFS_inno",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious",
"display_name": "#Lowfi:HSTR:MSIL/Malicious",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/Bibado",
"display_name": "ALF:JASYP:PUA:Win32/Bibado",
"target": null
},
{
"id": "Trojan:Win32/Toga",
"display_name": "Trojan:Win32/Toga",
"target": "/malware/Trojan:Win32/Toga"
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Win.Trojan.Jorik-149",
"display_name": "Win.Trojan.Jorik-149",
"target": null
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.Jorik-130",
"display_name": "Win.Trojan.Jorik-130",
"target": null
},
{
"id": "Win.Trojan.Fakecodecs-119",
"display_name": "Win.Trojan.Fakecodecs-119",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Bulz-9860169-0",
"display_name": "Win.Trojan.Bulz-9860169-0",
"target": null
},
{
"id": "Win.Malware.Midie-6847892-0",
"display_name": "Win.Malware.Midie-6847892-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win.Packed.Razy-9785185-0",
"display_name": "Win.Packed.Razy-9785185-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "PWS",
"display_name": "PWS",
"target": null
},
{
"id": "DDOS:Win32/Stormser.A",
"display_name": "DDOS:Win32/Stormser.A",
"target": "/malware/DDOS:Win32/Stormser.A"
},
{
"id": "ALF:HSTR:DotNET",
"display_name": "ALF:HSTR:DotNET",
"target": null
},
{
"id": "DotNET",
"display_name": "DotNET",
"target": null
},
{
"id": "Script Exploit",
"display_name": "Script Exploit",
"target": null
},
{
"id": "HackTool:Win32/AutoKMS",
"display_name": "HackTool:Win32/AutoKMS",
"target": "/malware/HackTool:Win32/AutoKMS"
},
{
"id": "Xanfpezes.A",
"display_name": "Xanfpezes.A",
"target": null
},
{
"id": "Trojan:Win32/Gandcrab",
"display_name": "Trojan:Win32/Gandcrab",
"target": "/malware/Trojan:Win32/Gandcrab"
},
{
"id": "Win.Trojan.Generic-9862772-0",
"display_name": "Win.Trojan.Generic-9862772-0",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBL!MTB",
"display_name": "Trojan:Win32/Zbot.SIBL!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBL!MTB"
},
{
"id": "Win32/Nemucod",
"display_name": "Win32/Nemucod",
"target": null
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"target": null
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Win.Malware.Kolab-9885903-0",
"display_name": "Win.Malware.Kolab-9885903-0",
"target": null
},
{
"id": "Win.Malware (30)",
"display_name": "Win.Malware (30)",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"target": null
},
{
"id": "E5",
"display_name": "E5",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 6232,
"URL": 24908,
"hostname": 7993,
"FileHash-SHA256": 11128,
"email": 6,
"FileHash-MD5": 1054,
"FileHash-SHA1": 932,
"SSLCertFingerprint": 14,
"CIDR": 3,
"CVE": 3
},
"indicator_count": 52273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893eee9bf1b30e08d1a6d8e",
"name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood",
"description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.",
"modified": "2025-09-05T23:02:52.811000",
"created": "2025-08-07T00:10:17.696000",
"tags": [
"address google",
"safe browsing",
"united",
"typeof",
"passive dns",
"body doctype",
"nreum",
"date",
"gmt server",
"apache x",
"cnection",
"content type",
"span",
"ok transfer",
"encoding",
"x powered",
"unknown soa",
"unknown ns",
"showing",
"entries",
"next associated",
"urls show",
"body",
"encrypt",
"search",
"ip address",
"creation date",
"record value",
"present jul",
"present may",
"present apr",
"certificate",
"present aug",
"present feb",
"present dec",
"present nov",
"error",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"pattern match",
"ascii text",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"itre att",
"accept",
"sha256",
"size",
"type data",
"utf8 text",
"document file",
"flag",
"server",
"european union",
"name server",
"tor analysis",
"dns requests",
"domain address",
"ii llc",
"windir",
"openurl c",
"prefetch2",
"show process",
"ogoogle trust",
"network traffic",
"organization",
"elton avundano",
"object",
"title object",
"header http2",
"returnurl",
"texas",
"rsa ov",
"ssl ca",
"status",
"australia",
"netherlands",
"urls",
"gmt path",
"hostname add",
"pulse submit",
"present oct",
"e safe",
"results jul",
"response ip",
"present jan",
"name servers",
"verdict",
"domain",
"files ip",
"address domain",
"xhr start",
"xhr load",
"aaaa",
"read c",
"show",
"port",
"destination",
"high",
"delete",
"outbound m3",
"copy",
"write",
"persistence",
"execution",
"malware",
"generic",
"unknown",
"present mar",
"dynamicloader",
"wine emulator",
"dynamic",
"medium",
"read",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"dnssec",
"domain name",
"solutions",
"llc status",
"next passive",
"dns status",
"hostname query",
"files show",
"date hash",
"avast avg",
"overview ip",
"address",
"related nids",
"files location",
"flag united",
"hostname",
"files domain",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"virtool",
"win64",
"defense evasion",
"t1480 execution",
"file defense",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"file discovery",
"utf8",
"crlf line",
"a domains",
"script urls",
"link",
"unknown aaaa",
"meta",
"atom",
"results jan",
"present",
"present sep",
"akamai",
"asn as16625",
"less whois",
"registrar",
"http",
"france flag",
"france hostname",
"files related",
"url analysis",
"files",
"location france",
"detailed error",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"moved",
"name",
"perfect privacy",
"error jul",
"next related",
"domains show",
"domain related",
"url add",
"pulse pulses",
"hosting",
"reverse dns",
"france asn",
"as16276",
"dns resolutions",
"datacenter",
"regopenkeyexa",
"regsetvalueexa",
"windows nt",
"regdword",
"hostile",
"service",
"delphi",
"next",
"pulses none",
"related tags",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"review",
"data upload",
"extraction",
"khtml",
"gecko",
"olet",
"cnlet",
"tlsv1",
"hacktool",
"push",
"ms windows",
"intel",
"pe32",
"users",
"precreate read",
"ransom",
"code",
"installer",
"june",
"media",
"autorun",
"next yara",
"detections name",
"aspackv2xxx",
"eu alexey",
"alerts",
"pe file",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"april",
"packing t1045",
"t1045",
"t1060",
"registry run",
"keys",
"user execution",
"icmp traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"URL": 6245,
"hostname": 2264,
"FileHash-SHA256": 1857,
"FileHash-SHA1": 491,
"email": 9,
"FileHash-MD5": 573,
"SSLCertFingerprint": 16
},
"indicator_count": 12587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686cb765dc6737fd1e882630",
"name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack",
"description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal",
"modified": "2025-08-07T05:01:52.697000",
"created": "2025-07-08T06:15:01.296000",
"tags": [
"no expiration",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"iocs",
"review iocs",
"pulse show",
"search",
"type indicator",
"role title",
"expiration",
"url http",
"url https",
"text drag",
"drop or",
"enter source",
"url or",
"hostname",
"ipv4",
"related pulses",
"showing",
"entries",
"drop",
"domain",
"enter",
"extract",
"browse to",
"domain xn",
"select file",
"pdf report",
"pcap",
"stix",
"openioc",
"indicator role",
"pulses url"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 840,
"FileHash-SHA1": 725,
"FileHash-SHA256": 863,
"URL": 1663,
"SSLCertFingerprint": 17,
"domain": 520,
"hostname": 734,
"email": 11
},
"indicator_count": 5373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "256 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686cb7673e4d5a0067758fd7",
"name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack",
"description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal",
"modified": "2025-08-07T05:01:52.697000",
"created": "2025-07-08T06:15:03.501000",
"tags": [
"no expiration",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"iocs",
"review iocs",
"pulse show",
"search",
"type indicator",
"role title",
"expiration",
"url http",
"url https",
"text drag",
"drop or",
"enter source",
"url or",
"hostname",
"ipv4",
"related pulses",
"showing",
"entries",
"drop",
"domain",
"enter",
"extract",
"browse to",
"domain xn",
"select file",
"pdf report",
"pcap",
"stix",
"openioc",
"indicator role",
"pulses url"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 840,
"FileHash-SHA1": 725,
"FileHash-SHA256": 863,
"URL": 1663,
"SSLCertFingerprint": 17,
"domain": 520,
"hostname": 734,
"email": 11
},
"indicator_count": 5373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "256 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://wallet.pagsmile.com/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://wallet.pagsmile.com/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776670719.7251103
}