{
"type": "URL",
"indicator": "https://wallet.pagsmile.com/index.html",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://wallet.pagsmile.com/index.html",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4075597167,
"indicator": "https://wallet.pagsmile.com/index.html",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 15,
"pulses": [
{
"id": "695c7b40f5d2f292a7512e81",
"name": "USteal Reputation Smear | Malicious Media | TrojanSpy - CrazyFrost.com",
"description": "Who is CrazyFrost? USteal Reputation Smear | Malicious Media | TrojanSpy would affect anyone who clicks on honeypot / dga domain. iPhone spyware. We\u2019ve been working on exposing spyware. Emotet / AutoIT , cabs, password stealer, and more found. Investigators and attorneys from the past Investigators reported victims life, was being promoted over the dark web. From bathing to cooking , conversations to arguments, getting dressed to passing gas. Haha. Small cameras were accessed remotely in her former. Castle Pines, Co hideaway. A third investigator confirmed tiny cameras were installed when victim was in staycationing. When family arrived home garage door and secured doors were boldly left open. Crazy True. [otx auto generated- The following is the full text of the public-key-precert-scts, which has been posted on the website of Redporn.video, the site of an unauthorised sex tape.]",
"modified": "2026-02-05T02:03:26.707000",
"created": "2026-01-06T03:02:24.932000",
"tags": [
"gmtn",
"log id",
"ca issuers",
"b0n timestamp",
"signature",
"d097",
"f2334482",
"fc46",
"b10b2898797d",
"fingerprintsha1",
"tsara",
"we1 certificate",
"dynamicloader",
"medium",
"write c",
"host",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"write",
"code",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"ssl certificate",
"execution att",
"t1204 user",
"united",
"mitre att",
"ck matrix",
"flag",
"ogoogle trust",
"href",
"network traffic",
"span",
"babe",
"super",
"close",
"general",
"local",
"path",
"encrypt",
"click",
"strings",
"form",
"extraction",
"data upload",
"all ht",
"enter source",
"one on",
"tezunau",
"daut un",
"dauwol lype",
"ur extraction",
"extrac",
"n tezunau",
"one opa",
"included review",
"faileextra",
"include data",
"review exclude",
"sugges",
"delete c",
"json",
"ascii text",
"high",
"data",
"search",
"stream",
"unknown",
"push",
"next",
"dirty",
"enter s",
"type",
"extr data",
"include",
"ff d5",
"ee fc",
"eb d8",
"f0 ff",
"ff bb",
"fd ff",
"ff eb",
"ed b8",
"agent",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"read c",
"execution",
"dock",
"persistence",
"sc data",
"present jan",
"present mar",
"present dec",
"unknown aaaa",
"passive dns",
"urls",
"trojanspy",
"date",
"present feb",
"susp",
"moved",
"ip address",
"backdoor",
"usteal",
"body",
"title",
"hybrid",
"regopenkeyexa",
"memcommit",
"regsz",
"english",
"copy",
"ufr stealer",
"markus",
"april",
"updater",
"entries",
"rsds",
"c reg",
"environment",
"launch"
],
"references": [
"https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn",
"guidepaparazzisurface.com",
"http://www.crazyfrost.com\t\u2022 http://www.crazyfrost",
"http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\",
"iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err",
"iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/",
"https://chaturbate.com/notabottom/",
"https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "TrojanSpy:Win32/Usteal",
"display_name": "TrojanSpy:Win32/Usteal",
"target": "/malware/TrojanSpy:Win32/Usteal"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2543,
"hostname": 848,
"FileHash-SHA256": 1320,
"SSLCertFingerprint": 25,
"domain": 463,
"FileHash-MD5": 418,
"FileHash-SHA1": 197,
"email": 2
},
"indicator_count": 5816,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "74 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695035a98f01d94b2598f8ee",
"name": "Mirai \u2022 PrometheusIntelligenceTechnology.com - Extranet affected Universities | Regis University",
"description": "PrometheusIntelligenceTechnology.com - Extranet. Regis University experienced an outrageous blackout. I know because I was an outside investigator. Tsara Brashears found the links as a redirect on iOS and MacBook Pro devices.\n She seemed to be the the solely impacted Computer Science student. Further research showed canary cookie in server. Regis ignored all and played down the facts. All computers needed replacing. T advised but they tried to clean them. The elevator didn\u2019t work for years. Call 911 if you get stuck. Tsara went out of her way for 5 months warning them until an fool logged in as her but could only login over iexplorer. RU paid a ransom. Tsara was black listed from school. Above 4.0 GPA 3.8 post assault. Just found another PIT link. \n\nIT Security sent her to the FBI because legitimate death threats and plans were found. \n\nAll attacks immediately following assault.",
"modified": "2026-01-26T18:04:20.395000",
"created": "2025-12-27T19:38:17.198000",
"tags": [
"united",
"unknown aaaa",
"accept encoding",
"moved",
"urls",
"files",
"encrypt",
"passive dns",
"all ipv4",
"america flag",
"america asn",
"ransom",
"backdoor",
"mtb win32",
"mirai",
"united states",
"type indicator",
"role title",
"container",
"ip address",
"i div",
"h2 p",
"h4 p",
"data",
"desktop",
"powerful",
"url https",
"url http",
"indicator role",
"active related",
"cidr",
"types",
"indicators show",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"mitre att",
"ck matrix",
"command decode",
"programfiles",
"suricata ipv4",
"windir",
"comspec",
"hybrid",
"general",
"path",
"model",
"click",
"strings",
"prometheus",
"palantir",
"kill list",
"tracking",
"moon linksys",
"router",
"emotet",
"active",
"regis university",
"ascii text",
"show technique",
"pattern match",
"sha1",
"show process",
"root",
"local",
"development att",
"ssl certificate",
"extranet",
"maven"
],
"references": [
"Palantir Extranet -https://prometheusintelligencetechnology.com/",
"Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more",
"IDS Detections: TheMoon.linksys.router",
"We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019",
"It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.",
"This is directed to target, communicated where target was enrolled- Regis University Denver , Co",
"Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC",
"Tsara Brashears warned of hack, provided detailed information, provided advice",
"\u2018Close enrollment. Get all new devices. Stop using Barracuda.",
"Find a way to safely begin from a new server. Work from a Virtual World Class",
"Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey",
"Old staff slow, foolish but eventually heeded instructions / once it was too late",
"Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed",
"She was in the botnet already",
"Was denied after third enrollment showed false information",
"She sought a certificate from Red Rocks. Kurzweil installed due to being disabled",
"Bills from nowhere appeared. Again staff said this never happened before left her with the debt.",
"Tsara was unable to finish her second degree this way. But found a way.",
"I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student",
"Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed",
"Many pulses are missing. When we first began using this tool PIT was what we researched first",
"This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities",
"One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .",
"She refused. Two weeks later man is parked outside of her residence in a different county and city.",
"I\u2019m concerned because they are attacking people associated with her and thins needs to stop",
"This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump",
"Lots of detail because someone , somewhere is going through this."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win32:RansomX-gen\\ [Ransom]",
"display_name": "Win32:RansomX-gen\\ [Ransom]",
"target": null
},
{
"id": "ELF:Mirai-AAL\\ [Trj]",
"display_name": "ELF:Mirai-AAL\\ [Trj]",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1037,
"domain": 161,
"hostname": 340,
"email": 2,
"FileHash-SHA256": 315,
"FileHash-MD5": 14,
"FileHash-SHA1": 20,
"CIDR": 16,
"SSLCertFingerprint": 8
},
"indicator_count": 1913,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "83 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6923408464566e39caf32285",
"name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)",
"description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00",
"modified": "2025-12-23T16:04:54.329000",
"created": "2025-11-23T17:12:36.917000",
"tags": [
"no expiration",
"expiration",
"url https",
"url http",
"filehashsha256",
"hostname",
"domain",
"filehashmd5",
"filehashsha1",
"ipv4",
"code",
"pool",
"timothy pool",
"z3je z3uwq7",
"creation date",
"ip address",
"emails",
"expiration date",
"status",
"hostname add",
"pulse pulses",
"passive dns",
"urls",
"date"
],
"references": [
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"www.techcult.com",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"Yara: Detections ConventionEngine_Term_Users",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"Yara : MS_Visual_Basic_6_0 ,",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"Alerts: mouse_movement_detect",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"Foundry stalking."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDropper:Win32/VB.IL0",
"display_name": "TrojanDropper:Win32/VB.IL0",
"target": "/malware/TrojanDropper:Win32/VB.IL0"
},
{
"id": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1443",
"name": "Remotely Install Application",
"display_name": "T1443 - Remotely Install Application"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 773,
"FileHash-SHA1": 684,
"FileHash-SHA256": 1910,
"CVE": 2,
"SSLCertFingerprint": 4,
"URL": 3783,
"domain": 878,
"email": 7,
"hostname": 1913
},
"indicator_count": 9954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "118 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c62306c74c7f57dc993d13",
"name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
"description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
"modified": "2025-10-14T01:04:58.605000",
"created": "2025-09-14T02:05:58.793000",
"tags": [
"denver",
"jeffrey reimer",
"star rating",
"appointment",
"post",
"response are",
"listened",
"wait",
"reimer",
"healthgrades",
"reply flag",
"doctors",
"find",
"jeff",
"back",
"aurora",
"leave",
"crying",
"tips",
"tags na",
"utc scorecard",
"research beacon",
"utc yahoo",
"dot tags",
"united",
"mozilla",
"write c",
"nsisinetc",
"undetermined",
"medium",
"intel",
"ms windows",
"write",
"trojan",
"defender",
"delphi",
"win32",
"malware",
"win64",
"local",
"next",
"code overlap",
"dynamicloader",
"as15169",
"brazil as28604",
"brazil as396982",
"upatre",
"passive dns",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"body",
"script script",
"powder sdk",
"a domains",
"title",
"script",
"certificate",
"hostname add",
"pulse submit",
"meta",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"signing defense",
"flag",
"whois privacy",
"service name",
"server",
"contacted hosts",
"ip address",
"process details",
"size",
"div id",
"beginstring",
"beginerror",
"null",
"error",
"strings",
"refresh",
"tools",
"onload",
"click",
"span",
"remote access"
],
"references": [
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"CodeOverlap | All malware listed exists",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"All #tags auto populated.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"target": null
},
{
"id": "Win.Malware.Tfuvtcog-7194372-0",
"display_name": "Win.Malware.Tfuvtcog-7194372-0",
"target": null
},
{
"id": "Trojan.Win32.Fakemalard",
"display_name": "Trojan.Win32.Fakemalard",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Trojan.Win32.Banload",
"display_name": "Trojan.Win32.Banload",
"target": null
},
{
"id": "Formbook",
"display_name": "Formbook",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Medical",
"Media",
"Government."
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 609,
"URL": 1550,
"domain": 280,
"FileHash-SHA256": 1428,
"FileHash-MD5": 133,
"FileHash-SHA1": 115,
"SSLCertFingerprint": 4
},
"indicator_count": 4119,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c62316b24b23e6d4c579ef",
"name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
"description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
"modified": "2025-10-14T01:04:58.605000",
"created": "2025-09-14T02:06:14.853000",
"tags": [
"denver",
"jeffrey reimer",
"star rating",
"appointment",
"post",
"response are",
"listened",
"wait",
"reimer",
"healthgrades",
"reply flag",
"doctors",
"find",
"jeff",
"back",
"aurora",
"leave",
"crying",
"tips",
"tags na",
"utc scorecard",
"research beacon",
"utc yahoo",
"dot tags",
"united",
"mozilla",
"write c",
"nsisinetc",
"undetermined",
"medium",
"intel",
"ms windows",
"write",
"trojan",
"defender",
"delphi",
"win32",
"malware",
"win64",
"local",
"next",
"code overlap",
"dynamicloader",
"as15169",
"brazil as28604",
"brazil as396982",
"upatre",
"passive dns",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"body",
"script script",
"powder sdk",
"a domains",
"title",
"script",
"certificate",
"hostname add",
"pulse submit",
"meta",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"signing defense",
"flag",
"whois privacy",
"service name",
"server",
"contacted hosts",
"ip address",
"process details",
"size",
"div id",
"beginstring",
"beginerror",
"null",
"error",
"strings",
"refresh",
"tools",
"onload",
"click",
"span",
"remote access"
],
"references": [
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"CodeOverlap | All malware listed exists",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"All #tags auto populated.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"target": null
},
{
"id": "Win.Malware.Tfuvtcog-7194372-0",
"display_name": "Win.Malware.Tfuvtcog-7194372-0",
"target": null
},
{
"id": "Trojan.Win32.Fakemalard",
"display_name": "Trojan.Win32.Fakemalard",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Trojan.Win32.Banload",
"display_name": "Trojan.Win32.Banload",
"target": null
},
{
"id": "Formbook",
"display_name": "Formbook",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Too much to search for",
"display_name": "Too much to search for",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Medical",
"Media",
"Government."
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 609,
"URL": 1550,
"domain": 280,
"FileHash-SHA256": 1428,
"FileHash-MD5": 133,
"FileHash-SHA1": 115,
"SSLCertFingerprint": 4
},
"indicator_count": 4119,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ac1823eed9568e26950b98",
"name": "ELF: Mirai - Malicious media | sentient.industries | Palantir",
"description": "Malicious entity weaponizing AI and next level cyber attacks, targeting, hacking, espionage, tracking, bad traffic, botnet, honeypots, bots , ddos. \n\nIt\u2019s really easy to become a target. Protest a cause, become a victim of crime by someone protected by a major entity , incur a large loss insurance case or have a high profile potential lawsuit on and on\u2026 \n\nExcessive overreach, low accountability, no barrier to access, designed to be the cyber warfare weapon.\nIf this is a spoof and NOT Palantir which (but it is) still relentlessly , as malicious. You don\u2019t own your devices or privacy.\n\n#mustbestrangelyexitingtowatchthestoicsquirm",
"modified": "2025-09-24T07:05:04.439000",
"created": "2025-08-25T08:00:35.492000",
"tags": [
"sentientindustries",
"adult",
"pornography",
"targeting",
"content reputation",
"palantirfoundry",
"palantir",
"malicious media",
"tool",
"abuse",
"citizens",
"gay",
"united",
"cache control",
"access control",
"passive dns",
"ip address",
"body found",
"gmt content",
"express cache",
"accept",
"pragma",
"avast avg",
"mirai",
"games",
"aniporn",
"eporner",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"javascript",
"defense evasion",
"spawns",
"attrib",
"extid",
"fbid",
"creatortool",
"pattern match",
"date",
"path",
"august",
"hybrid",
"general",
"click",
"strings",
"bham",
"this",
"core",
"unknown aaaa",
"moved",
"unknown ns",
"body",
"h1 center",
"title",
"data upload",
"extraction",
"iocs",
"monitored target",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"span",
"possible",
"local",
"meta",
"roboto",
"supportscookie",
"spearphishing",
"initial access",
"ssl certificate",
"t1105",
"T1027.013 - Encrypted/Encoded File"
],
"references": [
"https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)",
"conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/",
"http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html",
"1-ai-chatbox-widget-2iv.pages.dev",
"FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839",
"Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)",
"Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]",
"https://hayageek.com/drag-and-drop-file-upload-jquery",
"https://hayageek.com/rsa-encryption-decryption-openssl-c/",
"https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/",
"https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]",
"https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045",
"T1027.013 - Encrypted/Encoded File"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "PornBlackmailer",
"display_name": "PornBlackmailer",
"target": null
},
{
"id": "Win32/PornTool",
"display_name": "Win32/PornTool",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6748839",
"display_name": "Unix.Trojan.Gafgyt-6748839",
"target": null
},
{
"id": "supportsCookie",
"display_name": "supportsCookie",
"target": null
}
],
"attack_ids": [
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1608.005",
"name": "Link Target",
"display_name": "T1608.005 - Link Target"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1532",
"name": "Data Encrypted",
"display_name": "T1532 - Data Encrypted"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian Society",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 966,
"domain": 222,
"hostname": 272,
"FileHash-MD5": 78,
"FileHash-SHA1": 84,
"FileHash-SHA256": 346,
"SSLCertFingerprint": 10
},
"indicator_count": 1978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68abf66e97031d0ff0c04fed",
"name": "Packed sentient.industries links to a targets business website",
"description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.",
"modified": "2025-09-24T04:04:05.604000",
"created": "2025-08-25T05:36:46.327000",
"tags": [
"moved",
"body",
"x cache",
"cloudfront x",
"cph50 c2",
"certificate",
"record value",
"title",
"h1 center",
"server",
"redacted for",
"servers",
"name redacted",
"for privacy",
"name servers",
"org data",
"privacy city",
"privacy country",
"ca creation",
"passive dns",
"urls",
"files",
"ip address",
"asn as57033",
"less whois",
"registrar",
"tucows domains",
"key identifier",
"data",
"v3 serial",
"number",
"cat ozerossl",
"cnzerossl ecc",
"domain secure",
"site ca",
"validity",
"subject public",
"extraction",
"data upload",
"extra data",
"include review",
"find",
"failed",
"typ no",
"ms windows",
"intel",
"pe32",
"united",
"search",
"as16509",
"from win32bios",
"show",
"high",
"medium",
"delphi",
"copy",
"write",
"launcher",
"next",
"present aug",
"present jul",
"lowfi",
"win32",
"a div",
"div div",
"learn xml",
"babylon",
"win64",
"trojan",
"colors",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"et info",
"tls handshake",
"bad traffic",
"failure",
"date",
"august",
"hybrid",
"general",
"path",
"starfield",
"click",
"strings",
"se bethseda",
"n bethseda",
"n data",
"error",
"date checked",
"url hostname",
"server response",
"google safe",
"results aug",
"read c",
"tlsv1",
"port",
"destination",
"module load",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"cname",
"aaaa",
"creation date",
"showing",
"domain",
"dga domains",
"palantirfoundry",
"foundry",
"status",
"unknown ns",
"g2 tls",
"rsa sha256",
"italy unknown",
"mtb may",
"trojandropper",
"invalid url",
"next associated",
"ddos",
"body html",
"hacktool",
"ipv4",
"url analysis",
"ukraine",
"encrypt",
"rl add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present jun",
"entries",
"title error",
"all ipv4",
"reverse dns",
"yara detections",
"top source",
"top destination",
"source source",
"sha256 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"canada unknown",
"content type",
"javascript src",
"script script",
"x powered",
"ipv4 add",
"pulse submit",
"submit url",
"analysis",
"url add",
"related nids",
"files location",
"canada flag",
"canada hostname",
"unknown aaaa",
"ascii text",
"user agent",
"powershell",
"agent",
"czechia unknown",
"domain add",
"dynamicloader",
"hostname add",
"pentagon",
"defense"
],
"references": [
"sentient.industries affects independent artists. Affects several others.",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"(Can't access file- Malware infection files)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"Remotewd.com devices",
"If you find anything interesting please research it."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "nUFS_inno",
"display_name": "nUFS_inno",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious",
"display_name": "#Lowfi:HSTR:MSIL/Malicious",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/Bibado",
"display_name": "ALF:JASYP:PUA:Win32/Bibado",
"target": null
},
{
"id": "Trojan:Win32/Toga",
"display_name": "Trojan:Win32/Toga",
"target": "/malware/Trojan:Win32/Toga"
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Win.Trojan.Jorik-149",
"display_name": "Win.Trojan.Jorik-149",
"target": null
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.Jorik-130",
"display_name": "Win.Trojan.Jorik-130",
"target": null
},
{
"id": "Win.Trojan.Fakecodecs-119",
"display_name": "Win.Trojan.Fakecodecs-119",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Bulz-9860169-0",
"display_name": "Win.Trojan.Bulz-9860169-0",
"target": null
},
{
"id": "Win.Malware.Midie-6847892-0",
"display_name": "Win.Malware.Midie-6847892-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win.Packed.Razy-9785185-0",
"display_name": "Win.Packed.Razy-9785185-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "PWS",
"display_name": "PWS",
"target": null
},
{
"id": "DDOS:Win32/Stormser.A",
"display_name": "DDOS:Win32/Stormser.A",
"target": "/malware/DDOS:Win32/Stormser.A"
},
{
"id": "ALF:HSTR:DotNET",
"display_name": "ALF:HSTR:DotNET",
"target": null
},
{
"id": "DotNET",
"display_name": "DotNET",
"target": null
},
{
"id": "Script Exploit",
"display_name": "Script Exploit",
"target": null
},
{
"id": "HackTool:Win32/AutoKMS",
"display_name": "HackTool:Win32/AutoKMS",
"target": "/malware/HackTool:Win32/AutoKMS"
},
{
"id": "Xanfpezes.A",
"display_name": "Xanfpezes.A",
"target": null
},
{
"id": "Trojan:Win32/Gandcrab",
"display_name": "Trojan:Win32/Gandcrab",
"target": "/malware/Trojan:Win32/Gandcrab"
},
{
"id": "Win.Trojan.Generic-9862772-0",
"display_name": "Win.Trojan.Generic-9862772-0",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBL!MTB",
"display_name": "Trojan:Win32/Zbot.SIBL!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBL!MTB"
},
{
"id": "Win32/Nemucod",
"display_name": "Win32/Nemucod",
"target": null
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"target": null
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Win.Malware.Kolab-9885903-0",
"display_name": "Win.Malware.Kolab-9885903-0",
"target": null
},
{
"id": "Win.Malware (30)",
"display_name": "Win.Malware (30)",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"target": null
},
{
"id": "E5",
"display_name": "E5",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 6232,
"URL": 24908,
"hostname": 7993,
"FileHash-SHA256": 11128,
"email": 6,
"FileHash-MD5": 1054,
"FileHash-SHA1": 932,
"SSLCertFingerprint": 14,
"CIDR": 3,
"CVE": 3
},
"indicator_count": 52273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893eee9bf1b30e08d1a6d8e",
"name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood",
"description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.",
"modified": "2025-09-05T23:02:52.811000",
"created": "2025-08-07T00:10:17.696000",
"tags": [
"address google",
"safe browsing",
"united",
"typeof",
"passive dns",
"body doctype",
"nreum",
"date",
"gmt server",
"apache x",
"cnection",
"content type",
"span",
"ok transfer",
"encoding",
"x powered",
"unknown soa",
"unknown ns",
"showing",
"entries",
"next associated",
"urls show",
"body",
"encrypt",
"search",
"ip address",
"creation date",
"record value",
"present jul",
"present may",
"present apr",
"certificate",
"present aug",
"present feb",
"present dec",
"present nov",
"error",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"pattern match",
"ascii text",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"itre att",
"accept",
"sha256",
"size",
"type data",
"utf8 text",
"document file",
"flag",
"server",
"european union",
"name server",
"tor analysis",
"dns requests",
"domain address",
"ii llc",
"windir",
"openurl c",
"prefetch2",
"show process",
"ogoogle trust",
"network traffic",
"organization",
"elton avundano",
"object",
"title object",
"header http2",
"returnurl",
"texas",
"rsa ov",
"ssl ca",
"status",
"australia",
"netherlands",
"urls",
"gmt path",
"hostname add",
"pulse submit",
"present oct",
"e safe",
"results jul",
"response ip",
"present jan",
"name servers",
"verdict",
"domain",
"files ip",
"address domain",
"xhr start",
"xhr load",
"aaaa",
"read c",
"show",
"port",
"destination",
"high",
"delete",
"outbound m3",
"copy",
"write",
"persistence",
"execution",
"malware",
"generic",
"unknown",
"present mar",
"dynamicloader",
"wine emulator",
"dynamic",
"medium",
"read",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"dnssec",
"domain name",
"solutions",
"llc status",
"next passive",
"dns status",
"hostname query",
"files show",
"date hash",
"avast avg",
"overview ip",
"address",
"related nids",
"files location",
"flag united",
"hostname",
"files domain",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"virtool",
"win64",
"defense evasion",
"t1480 execution",
"file defense",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"file discovery",
"utf8",
"crlf line",
"a domains",
"script urls",
"link",
"unknown aaaa",
"meta",
"atom",
"results jan",
"present",
"present sep",
"akamai",
"asn as16625",
"less whois",
"registrar",
"http",
"france flag",
"france hostname",
"files related",
"url analysis",
"files",
"location france",
"detailed error",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"moved",
"name",
"perfect privacy",
"error jul",
"next related",
"domains show",
"domain related",
"url add",
"pulse pulses",
"hosting",
"reverse dns",
"france asn",
"as16276",
"dns resolutions",
"datacenter",
"regopenkeyexa",
"regsetvalueexa",
"windows nt",
"regdword",
"hostile",
"service",
"delphi",
"next",
"pulses none",
"related tags",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"review",
"data upload",
"extraction",
"khtml",
"gecko",
"olet",
"cnlet",
"tlsv1",
"hacktool",
"push",
"ms windows",
"intel",
"pe32",
"users",
"precreate read",
"ransom",
"code",
"installer",
"june",
"media",
"autorun",
"next yara",
"detections name",
"aspackv2xxx",
"eu alexey",
"alerts",
"pe file",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"april",
"packing t1045",
"t1045",
"t1060",
"registry run",
"keys",
"user execution",
"icmp traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"URL": 6245,
"hostname": 2264,
"FileHash-SHA256": 1857,
"FileHash-SHA1": 491,
"email": 9,
"FileHash-MD5": 573,
"SSLCertFingerprint": 16
},
"indicator_count": 12587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686cb765dc6737fd1e882630",
"name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack",
"description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal",
"modified": "2025-08-07T05:01:52.697000",
"created": "2025-07-08T06:15:01.296000",
"tags": [
"no expiration",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"iocs",
"review iocs",
"pulse show",
"search",
"type indicator",
"role title",
"expiration",
"url http",
"url https",
"text drag",
"drop or",
"enter source",
"url or",
"hostname",
"ipv4",
"related pulses",
"showing",
"entries",
"drop",
"domain",
"enter",
"extract",
"browse to",
"domain xn",
"select file",
"pdf report",
"pcap",
"stix",
"openioc",
"indicator role",
"pulses url"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 840,
"FileHash-SHA1": 725,
"FileHash-SHA256": 863,
"URL": 1663,
"SSLCertFingerprint": 17,
"domain": 520,
"hostname": 734,
"email": 11
},
"indicator_count": 5373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "256 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "686cb7673e4d5a0067758fd7",
"name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack",
"description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal",
"modified": "2025-08-07T05:01:52.697000",
"created": "2025-07-08T06:15:03.501000",
"tags": [
"no expiration",
"filehashmd5",
"filehashsha1",
"filehashsha256",
"iocs",
"review iocs",
"pulse show",
"search",
"type indicator",
"role title",
"expiration",
"url http",
"url https",
"text drag",
"drop or",
"enter source",
"url or",
"hostname",
"ipv4",
"related pulses",
"showing",
"entries",
"drop",
"domain",
"enter",
"extract",
"browse to",
"domain xn",
"select file",
"pdf report",
"pcap",
"stix",
"openioc",
"indicator role",
"pulses url"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 840,
"FileHash-SHA1": 725,
"FileHash-SHA256": 863,
"URL": 1663,
"SSLCertFingerprint": 17,
"domain": 520,
"hostname": 734,
"email": 11
},
"indicator_count": 5373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "256 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "277 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186983a4dd00c2b45b255",
"name": "Source:\thttps://cloud.samsara.com/o/79639/flee",
"description": "",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:15:36.505000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "685186035e5fb63846d29e45",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "277 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "684a3719a2708183b1b16d00",
"name": "Follow Bot (black-basta_cova_cryptb) affects threat researcher(s)account(s)",
"description": "Surprised: \nFollow bot account affects threat researcher(s)account(s). % path , attempts DoS. Threatening account name,. \n\n\n(00285c99b52d41679b1aa3b8a80895b037df8a7500f4ad97ce06068eac4a95b7 | =\nfollow) \n|| {2025-05-20_bf3a6ba6e3421a7214ffbfe97642a578_amadey_black-basta_cova_cryptbot_elex_luca-stealer\nFastCopy5.9.0.exe}\n\nET DNS Query for .cc \n PROTOCOL-ICMP PATH MTU denial of service attempt\nPROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set",
"modified": "2025-07-12T01:02:11.925000",
"created": "2025-06-12T02:10:33.839000",
"tags": [
"gtmkvjvztk",
"open threat",
"learn",
"levelblue",
"exchange meta",
"tags twitter",
"alienvault",
"script tags",
"iframe tags",
"google tag",
"html internet",
"html document",
"ascii text",
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"number",
"cnmicrosoft ecc",
"update secure",
"server ca",
"cus subject",
"stwa lredmond",
"omicrosoft c",
"resolved ips",
"get http",
"dns resolutions",
"request",
"response",
"windows nt",
"win64",
"khtml",
"gecko",
"defense evasion",
"ta0009 command",
"impact ta0040",
"catalog tree",
"analysis ob0001",
"analysis ob0002",
"ob0007 impact",
"ob0012 file",
"system oc0001",
"process oc0003",
"data oc0004",
"oc0008",
"get https",
"vis1",
"oid2",
"post https",
"cjutxg",
"base64uidenc",
"error https"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 162,
"FileHash-SHA1": 28,
"FileHash-SHA256": 2459,
"domain": 889,
"hostname": 1217,
"URL": 4326,
"FilePath": 1
},
"indicator_count": 9082,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "282 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"She was in the botnet already",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"(Can't access file- Malware infection files)",
"https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn",
"Remotewd.com devices",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"guidepaparazzisurface.com",
"Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045",
"Palantir Extranet -https://prometheusintelligencetechnology.com/",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"https://hayageek.com/rsa-encryption-decryption-openssl-c/",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"Was denied after third enrollment showed false information",
"I\u2019m concerned because they are attacking people associated with her and thins needs to stop",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"Yara: Detections ConventionEngine_Term_Users",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"T1027.013 - Encrypted/Encoded File",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"CodeOverlap | All malware listed exists",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"Foundry stalking.",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump",
"Find a way to safely begin from a new server. Work from a Virtual World Class",
"https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)",
"If you find anything interesting please research it.",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"https://hayageek.com/drag-and-drop-file-upload-jquery",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.",
"I am very upset. Whoever is doing this is sick.",
"http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"http://www.crazyfrost.com\t\u2022 http://www.crazyfrost",
"Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey",
"One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"She refused. Two weeks later man is parked outside of her residence in a different county and city.",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"All #tags auto populated.",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"https://es.pornhat.com/models/the-sex-creator/",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"Yara : MS_Visual_Basic_6_0 ,",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"\u2018Close enrollment. Get all new devices. Stop using Barracuda.",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"If someone is believed to be a threat they have right to due process.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839",
"https://chaturbate.com/notabottom/",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"Old staff slow, foolish but eventually heeded instructions / once it was too late",
"We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"Bills from nowhere appeared. Again staff said this never happened before left her with the debt.",
"1-ai-chatbox-widget-2iv.pages.dev",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Many pulses are missing. When we first began using this tool PIT was what we researched first",
"Can the DoD no questions asked target a SA victim",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"She sought a certificate from Red Rocks. Kurzweil installed due to being disabled",
"www.techcult.com",
"Tsara was unable to finish her second degree this way. But found a way.",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"Target agreed and complied with all lie detector measures.",
"iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/",
"Lots of detail because someone , somewhere is going through this.",
"Alerts: mouse_movement_detect",
"IDS Detections: TheMoon.linksys.router",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"sentient.industries affects independent artists. Affects several others.",
"This is directed to target, communicated where target was enrolled- Regis University Denver , Co",
"Tsara Brashears warned of hack, provided detailed information, provided advice",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://meumundogay-com.sexogratis.page/locker",
"There is fear in silence or speaking out",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed",
"This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"iamrobert.com Y.A.S."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Xanfpezes.a",
"Trojan:win32/zombie.a",
"Alf:heraklezeval:trojandownloader:html/adodb!rfn",
"Win.malware.kolab-9885903-0",
"Trojanspy:win32/usteal",
"#lowfienabledtcontinueafterunpacking",
"Trojan:win32/glupteba.mt!mtb",
"Win.malware (30)",
"Nufs_inno",
"Trojan.win32.fakemalard",
"Win.ransomware.msilzilla-10014498-0",
"Win.trojan.fakecodecs-119",
"Alf:hstr:dotnet",
"Win32:ransomx-gen\\ [ransom]",
"Trojan:win32/gandcrab",
"Win.trojan.generic-9862772-0",
"Trojan.win32.banload",
"Win.downloader.109205-1",
"Win.trojan.bulz-9860169-0",
"Custom malware",
"Win32/nemucod",
"Win.malware.midie-6847892-0",
"Win.malware.tfuvtcog-7194372-0",
"Malware",
"Mirai",
"#lowfi:hstr:msil/malicious",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"Formbook",
"Ransom",
"Unix.trojan.gafgyt-6748839",
"#lowfi:hstr:msil/malicious.decryption",
"Code overlap",
"#lowfidetectsvmware",
"Trojandropper:win32/vb.il0",
"Win.packed.razy-9785185-0",
"Elf:mirai-gh\\ [trj]",
"Script exploit",
"Trojandropper:win32/muldrop",
"Trojan:win32/blihan.a",
"Alf:jasyp:pua:win32/bibado",
"Trojan:win32/zbot.sibl!mtb",
"Trojandropper:win32/muldrop.v!mtb",
"E5",
"Win32:downloader-gjk\\ [trj]",
"Trojan:win32/toga",
"Emotet",
"Elf:mirai-aal\\ [trj]",
"Win.trojan.jorik-149",
"Pws",
"Alf:trojan:win32/cassini_56a3061!ibt",
"Supportscookie",
"Win.trojan.jorik-130",
"Hacktool:win32/autokms",
"Ddos:win32/stormser.a",
"#lowfi:aggregator:hasknownadwaredomain_nsisbundler.",
"Autoit",
"Apnic",
"Too much to search for",
"Win32/porntool",
"Pornblackmailer",
"Dotnet",
"Mydoom"
],
"industries": [
"Medical",
"Government",
"Telecommunications",
"Government.",
"Technology",
"Media",
"Civilian society"
],
"unique_indicators": 125857
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/pagsmile.com",
"whois": "http://whois.domaintools.com/pagsmile.com",
"domain": "pagsmile.com",
"hostname": "wallet.pagsmile.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 15,
"pulses": [
{
"id": "695c7b40f5d2f292a7512e81",
"name": "USteal Reputation Smear | Malicious Media | TrojanSpy - CrazyFrost.com",
"description": "Who is CrazyFrost? USteal Reputation Smear | Malicious Media | TrojanSpy would affect anyone who clicks on honeypot / dga domain. iPhone spyware. We\u2019ve been working on exposing spyware. Emotet / AutoIT , cabs, password stealer, and more found. Investigators and attorneys from the past Investigators reported victims life, was being promoted over the dark web. From bathing to cooking , conversations to arguments, getting dressed to passing gas. Haha. Small cameras were accessed remotely in her former. Castle Pines, Co hideaway. A third investigator confirmed tiny cameras were installed when victim was in staycationing. When family arrived home garage door and secured doors were boldly left open. Crazy True. [otx auto generated- The following is the full text of the public-key-precert-scts, which has been posted on the website of Redporn.video, the site of an unauthorised sex tape.]",
"modified": "2026-02-05T02:03:26.707000",
"created": "2026-01-06T03:02:24.932000",
"tags": [
"gmtn",
"log id",
"ca issuers",
"b0n timestamp",
"signature",
"d097",
"f2334482",
"fc46",
"b10b2898797d",
"fingerprintsha1",
"tsara",
"we1 certificate",
"dynamicloader",
"medium",
"write c",
"host",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"write",
"code",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"ssl certificate",
"execution att",
"t1204 user",
"united",
"mitre att",
"ck matrix",
"flag",
"ogoogle trust",
"href",
"network traffic",
"span",
"babe",
"super",
"close",
"general",
"local",
"path",
"encrypt",
"click",
"strings",
"form",
"extraction",
"data upload",
"all ht",
"enter source",
"one on",
"tezunau",
"daut un",
"dauwol lype",
"ur extraction",
"extrac",
"n tezunau",
"one opa",
"included review",
"faileextra",
"include data",
"review exclude",
"sugges",
"delete c",
"json",
"ascii text",
"high",
"data",
"search",
"stream",
"unknown",
"push",
"next",
"dirty",
"enter s",
"type",
"extr data",
"include",
"ff d5",
"ee fc",
"eb d8",
"f0 ff",
"ff bb",
"fd ff",
"ff eb",
"ed b8",
"agent",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"read c",
"execution",
"dock",
"persistence",
"sc data",
"present jan",
"present mar",
"present dec",
"unknown aaaa",
"passive dns",
"urls",
"trojanspy",
"date",
"present feb",
"susp",
"moved",
"ip address",
"backdoor",
"usteal",
"body",
"title",
"hybrid",
"regopenkeyexa",
"memcommit",
"regsz",
"english",
"copy",
"ufr stealer",
"markus",
"april",
"updater",
"entries",
"rsds",
"c reg",
"environment",
"launch"
],
"references": [
"https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn",
"guidepaparazzisurface.com",
"http://www.crazyfrost.com\t\u2022 http://www.crazyfrost",
"http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\",
"iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err",
"iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/",
"https://chaturbate.com/notabottom/",
"https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "TrojanSpy:Win32/Usteal",
"display_name": "TrojanSpy:Win32/Usteal",
"target": "/malware/TrojanSpy:Win32/Usteal"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2543,
"hostname": 848,
"FileHash-SHA256": 1320,
"SSLCertFingerprint": 25,
"domain": 463,
"FileHash-MD5": 418,
"FileHash-SHA1": 197,
"email": 2
},
"indicator_count": 5816,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "74 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "695035a98f01d94b2598f8ee",
"name": "Mirai \u2022 PrometheusIntelligenceTechnology.com - Extranet affected Universities | Regis University",
"description": "PrometheusIntelligenceTechnology.com - Extranet. Regis University experienced an outrageous blackout. I know because I was an outside investigator. Tsara Brashears found the links as a redirect on iOS and MacBook Pro devices.\n She seemed to be the the solely impacted Computer Science student. Further research showed canary cookie in server. Regis ignored all and played down the facts. All computers needed replacing. T advised but they tried to clean them. The elevator didn\u2019t work for years. Call 911 if you get stuck. Tsara went out of her way for 5 months warning them until an fool logged in as her but could only login over iexplorer. RU paid a ransom. Tsara was black listed from school. Above 4.0 GPA 3.8 post assault. Just found another PIT link. \n\nIT Security sent her to the FBI because legitimate death threats and plans were found. \n\nAll attacks immediately following assault.",
"modified": "2026-01-26T18:04:20.395000",
"created": "2025-12-27T19:38:17.198000",
"tags": [
"united",
"unknown aaaa",
"accept encoding",
"moved",
"urls",
"files",
"encrypt",
"passive dns",
"all ipv4",
"america flag",
"america asn",
"ransom",
"backdoor",
"mtb win32",
"mirai",
"united states",
"type indicator",
"role title",
"container",
"ip address",
"i div",
"h2 p",
"h4 p",
"data",
"desktop",
"powerful",
"url https",
"url http",
"indicator role",
"active related",
"cidr",
"types",
"indicators show",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"mitre att",
"ck matrix",
"command decode",
"programfiles",
"suricata ipv4",
"windir",
"comspec",
"hybrid",
"general",
"path",
"model",
"click",
"strings",
"prometheus",
"palantir",
"kill list",
"tracking",
"moon linksys",
"router",
"emotet",
"active",
"regis university",
"ascii text",
"show technique",
"pattern match",
"sha1",
"show process",
"root",
"local",
"development att",
"ssl certificate",
"extranet",
"maven"
],
"references": [
"Palantir Extranet -https://prometheusintelligencetechnology.com/",
"Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more",
"IDS Detections: TheMoon.linksys.router",
"We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019",
"It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.",
"This is directed to target, communicated where target was enrolled- Regis University Denver , Co",
"Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC",
"Tsara Brashears warned of hack, provided detailed information, provided advice",
"\u2018Close enrollment. Get all new devices. Stop using Barracuda.",
"Find a way to safely begin from a new server. Work from a Virtual World Class",
"Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey",
"Old staff slow, foolish but eventually heeded instructions / once it was too late",
"Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed",
"She was in the botnet already",
"Was denied after third enrollment showed false information",
"She sought a certificate from Red Rocks. Kurzweil installed due to being disabled",
"Bills from nowhere appeared. Again staff said this never happened before left her with the debt.",
"Tsara was unable to finish her second degree this way. But found a way.",
"I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student",
"Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed",
"Many pulses are missing. When we first began using this tool PIT was what we researched first",
"This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities",
"One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .",
"She refused. Two weeks later man is parked outside of her residence in a different county and city.",
"I\u2019m concerned because they are attacking people associated with her and thins needs to stop",
"This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump",
"Lots of detail because someone , somewhere is going through this."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win32:RansomX-gen\\ [Ransom]",
"display_name": "Win32:RansomX-gen\\ [Ransom]",
"target": null
},
{
"id": "ELF:Mirai-AAL\\ [Trj]",
"display_name": "ELF:Mirai-AAL\\ [Trj]",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1037,
"domain": 161,
"hostname": 340,
"email": 2,
"FileHash-SHA256": 315,
"FileHash-MD5": 14,
"FileHash-SHA1": 20,
"CIDR": 16,
"SSLCertFingerprint": 8
},
"indicator_count": 1913,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "83 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6923408464566e39caf32285",
"name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)",
"description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00",
"modified": "2025-12-23T16:04:54.329000",
"created": "2025-11-23T17:12:36.917000",
"tags": [
"no expiration",
"expiration",
"url https",
"url http",
"filehashsha256",
"hostname",
"domain",
"filehashmd5",
"filehashsha1",
"ipv4",
"code",
"pool",
"timothy pool",
"z3je z3uwq7",
"creation date",
"ip address",
"emails",
"expiration date",
"status",
"hostname add",
"pulse pulses",
"passive dns",
"urls",
"date"
],
"references": [
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"www.techcult.com",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"Yara: Detections ConventionEngine_Term_Users",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"Yara : MS_Visual_Basic_6_0 ,",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"Alerts: mouse_movement_detect",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"Foundry stalking."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDropper:Win32/VB.IL0",
"display_name": "TrojanDropper:Win32/VB.IL0",
"target": "/malware/TrojanDropper:Win32/VB.IL0"
},
{
"id": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1443",
"name": "Remotely Install Application",
"display_name": "T1443 - Remotely Install Application"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 773,
"FileHash-SHA1": 684,
"FileHash-SHA256": 1910,
"CVE": 2,
"SSLCertFingerprint": 4,
"URL": 3783,
"domain": 878,
"email": 7,
"hostname": 1913
},
"indicator_count": 9954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "118 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c62306c74c7f57dc993d13",
"name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
"description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
"modified": "2025-10-14T01:04:58.605000",
"created": "2025-09-14T02:05:58.793000",
"tags": [
"denver",
"jeffrey reimer",
"star rating",
"appointment",
"post",
"response are",
"listened",
"wait",
"reimer",
"healthgrades",
"reply flag",
"doctors",
"find",
"jeff",
"back",
"aurora",
"leave",
"crying",
"tips",
"tags na",
"utc scorecard",
"research beacon",
"utc yahoo",
"dot tags",
"united",
"mozilla",
"write c",
"nsisinetc",
"undetermined",
"medium",
"intel",
"ms windows",
"write",
"trojan",
"defender",
"delphi",
"win32",
"malware",
"win64",
"local",
"next",
"code overlap",
"dynamicloader",
"as15169",
"brazil as28604",
"brazil as396982",
"upatre",
"passive dns",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"body",
"script script",
"powder sdk",
"a domains",
"title",
"script",
"certificate",
"hostname add",
"pulse submit",
"meta",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"signing defense",
"flag",
"whois privacy",
"service name",
"server",
"contacted hosts",
"ip address",
"process details",
"size",
"div id",
"beginstring",
"beginerror",
"null",
"error",
"strings",
"refresh",
"tools",
"onload",
"click",
"span",
"remote access"
],
"references": [
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"CodeOverlap | All malware listed exists",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"All #tags auto populated.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"target": null
},
{
"id": "Win.Malware.Tfuvtcog-7194372-0",
"display_name": "Win.Malware.Tfuvtcog-7194372-0",
"target": null
},
{
"id": "Trojan.Win32.Fakemalard",
"display_name": "Trojan.Win32.Fakemalard",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Trojan.Win32.Banload",
"display_name": "Trojan.Win32.Banload",
"target": null
},
{
"id": "Formbook",
"display_name": "Formbook",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Medical",
"Media",
"Government."
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 609,
"URL": 1550,
"domain": 280,
"FileHash-SHA256": 1428,
"FileHash-MD5": 133,
"FileHash-SHA1": 115,
"SSLCertFingerprint": 4
},
"indicator_count": 4119,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c62316b24b23e6d4c579ef",
"name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
"description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
"modified": "2025-10-14T01:04:58.605000",
"created": "2025-09-14T02:06:14.853000",
"tags": [
"denver",
"jeffrey reimer",
"star rating",
"appointment",
"post",
"response are",
"listened",
"wait",
"reimer",
"healthgrades",
"reply flag",
"doctors",
"find",
"jeff",
"back",
"aurora",
"leave",
"crying",
"tips",
"tags na",
"utc scorecard",
"research beacon",
"utc yahoo",
"dot tags",
"united",
"mozilla",
"write c",
"nsisinetc",
"undetermined",
"medium",
"intel",
"ms windows",
"write",
"trojan",
"defender",
"delphi",
"win32",
"malware",
"win64",
"local",
"next",
"code overlap",
"dynamicloader",
"as15169",
"brazil as28604",
"brazil as396982",
"upatre",
"passive dns",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"reverse dns",
"location united",
"america flag",
"body",
"script script",
"powder sdk",
"a domains",
"title",
"script",
"certificate",
"hostname add",
"pulse submit",
"meta",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"signing defense",
"flag",
"whois privacy",
"service name",
"server",
"contacted hosts",
"ip address",
"process details",
"size",
"div id",
"beginstring",
"beginerror",
"null",
"error",
"strings",
"refresh",
"tools",
"onload",
"click",
"span",
"remote access"
],
"references": [
"#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
"YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
"CodeOverlap | All malware listed exists",
"Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"All #tags auto populated.",
"URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
"blog.manpowergroup.com.py (aww like dadvocates)",
"https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
"r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
"target": null
},
{
"id": "Win.Malware.Tfuvtcog-7194372-0",
"display_name": "Win.Malware.Tfuvtcog-7194372-0",
"target": null
},
{
"id": "Trojan.Win32.Fakemalard",
"display_name": "Trojan.Win32.Fakemalard",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Trojan.Win32.Banload",
"display_name": "Trojan.Win32.Banload",
"target": null
},
{
"id": "Formbook",
"display_name": "Formbook",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Too much to search for",
"display_name": "Too much to search for",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Medical",
"Media",
"Government."
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 609,
"URL": 1550,
"domain": 280,
"FileHash-SHA256": 1428,
"FileHash-MD5": 133,
"FileHash-SHA1": 115,
"SSLCertFingerprint": 4
},
"indicator_count": 4119,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ac1823eed9568e26950b98",
"name": "ELF: Mirai - Malicious media | sentient.industries | Palantir",
"description": "Malicious entity weaponizing AI and next level cyber attacks, targeting, hacking, espionage, tracking, bad traffic, botnet, honeypots, bots , ddos. \n\nIt\u2019s really easy to become a target. Protest a cause, become a victim of crime by someone protected by a major entity , incur a large loss insurance case or have a high profile potential lawsuit on and on\u2026 \n\nExcessive overreach, low accountability, no barrier to access, designed to be the cyber warfare weapon.\nIf this is a spoof and NOT Palantir which (but it is) still relentlessly , as malicious. You don\u2019t own your devices or privacy.\n\n#mustbestrangelyexitingtowatchthestoicsquirm",
"modified": "2025-09-24T07:05:04.439000",
"created": "2025-08-25T08:00:35.492000",
"tags": [
"sentientindustries",
"adult",
"pornography",
"targeting",
"content reputation",
"palantirfoundry",
"palantir",
"malicious media",
"tool",
"abuse",
"citizens",
"gay",
"united",
"cache control",
"access control",
"passive dns",
"ip address",
"body found",
"gmt content",
"express cache",
"accept",
"pragma",
"avast avg",
"mirai",
"games",
"aniporn",
"eporner",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"javascript",
"defense evasion",
"spawns",
"attrib",
"extid",
"fbid",
"creatortool",
"pattern match",
"date",
"path",
"august",
"hybrid",
"general",
"click",
"strings",
"bham",
"this",
"core",
"unknown aaaa",
"moved",
"unknown ns",
"body",
"h1 center",
"title",
"data upload",
"extraction",
"iocs",
"monitored target",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"span",
"possible",
"local",
"meta",
"roboto",
"supportscookie",
"spearphishing",
"initial access",
"ssl certificate",
"t1105",
"T1027.013 - Encrypted/Encoded File"
],
"references": [
"https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)",
"conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/",
"http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html",
"1-ai-chatbox-widget-2iv.pages.dev",
"FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839",
"Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)",
"Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]",
"https://hayageek.com/drag-and-drop-file-upload-jquery",
"https://hayageek.com/rsa-encryption-decryption-openssl-c/",
"https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/",
"https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]",
"https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045",
"T1027.013 - Encrypted/Encoded File"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "PornBlackmailer",
"display_name": "PornBlackmailer",
"target": null
},
{
"id": "Win32/PornTool",
"display_name": "Win32/PornTool",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6748839",
"display_name": "Unix.Trojan.Gafgyt-6748839",
"target": null
},
{
"id": "supportsCookie",
"display_name": "supportsCookie",
"target": null
}
],
"attack_ids": [
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1608.005",
"name": "Link Target",
"display_name": "T1608.005 - Link Target"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1532",
"name": "Data Encrypted",
"display_name": "T1532 - Data Encrypted"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian Society",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 966,
"domain": 222,
"hostname": 272,
"FileHash-MD5": 78,
"FileHash-SHA1": 84,
"FileHash-SHA256": 346,
"SSLCertFingerprint": 10
},
"indicator_count": 1978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68abf66e97031d0ff0c04fed",
"name": "Packed sentient.industries links to a targets business website",
"description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.",
"modified": "2025-09-24T04:04:05.604000",
"created": "2025-08-25T05:36:46.327000",
"tags": [
"moved",
"body",
"x cache",
"cloudfront x",
"cph50 c2",
"certificate",
"record value",
"title",
"h1 center",
"server",
"redacted for",
"servers",
"name redacted",
"for privacy",
"name servers",
"org data",
"privacy city",
"privacy country",
"ca creation",
"passive dns",
"urls",
"files",
"ip address",
"asn as57033",
"less whois",
"registrar",
"tucows domains",
"key identifier",
"data",
"v3 serial",
"number",
"cat ozerossl",
"cnzerossl ecc",
"domain secure",
"site ca",
"validity",
"subject public",
"extraction",
"data upload",
"extra data",
"include review",
"find",
"failed",
"typ no",
"ms windows",
"intel",
"pe32",
"united",
"search",
"as16509",
"from win32bios",
"show",
"high",
"medium",
"delphi",
"copy",
"write",
"launcher",
"next",
"present aug",
"present jul",
"lowfi",
"win32",
"a div",
"div div",
"learn xml",
"babylon",
"win64",
"trojan",
"colors",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"et info",
"tls handshake",
"bad traffic",
"failure",
"date",
"august",
"hybrid",
"general",
"path",
"starfield",
"click",
"strings",
"se bethseda",
"n bethseda",
"n data",
"error",
"date checked",
"url hostname",
"server response",
"google safe",
"results aug",
"read c",
"tlsv1",
"port",
"destination",
"module load",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"cname",
"aaaa",
"creation date",
"showing",
"domain",
"dga domains",
"palantirfoundry",
"foundry",
"status",
"unknown ns",
"g2 tls",
"rsa sha256",
"italy unknown",
"mtb may",
"trojandropper",
"invalid url",
"next associated",
"ddos",
"body html",
"hacktool",
"ipv4",
"url analysis",
"ukraine",
"encrypt",
"rl add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present jun",
"entries",
"title error",
"all ipv4",
"reverse dns",
"yara detections",
"top source",
"top destination",
"source source",
"sha256 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"canada unknown",
"content type",
"javascript src",
"script script",
"x powered",
"ipv4 add",
"pulse submit",
"submit url",
"analysis",
"url add",
"related nids",
"files location",
"canada flag",
"canada hostname",
"unknown aaaa",
"ascii text",
"user agent",
"powershell",
"agent",
"czechia unknown",
"domain add",
"dynamicloader",
"hostname add",
"pentagon",
"defense"
],
"references": [
"sentient.industries affects independent artists. Affects several others.",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"(Can't access file- Malware infection files)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"Remotewd.com devices",
"If you find anything interesting please research it."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "nUFS_inno",
"display_name": "nUFS_inno",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious",
"display_name": "#Lowfi:HSTR:MSIL/Malicious",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/Bibado",
"display_name": "ALF:JASYP:PUA:Win32/Bibado",
"target": null
},
{
"id": "Trojan:Win32/Toga",
"display_name": "Trojan:Win32/Toga",
"target": "/malware/Trojan:Win32/Toga"
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Win.Trojan.Jorik-149",
"display_name": "Win.Trojan.Jorik-149",
"target": null
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.Jorik-130",
"display_name": "Win.Trojan.Jorik-130",
"target": null
},
{
"id": "Win.Trojan.Fakecodecs-119",
"display_name": "Win.Trojan.Fakecodecs-119",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Bulz-9860169-0",
"display_name": "Win.Trojan.Bulz-9860169-0",
"target": null
},
{
"id": "Win.Malware.Midie-6847892-0",
"display_name": "Win.Malware.Midie-6847892-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win.Packed.Razy-9785185-0",
"display_name": "Win.Packed.Razy-9785185-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "PWS",
"display_name": "PWS",
"target": null
},
{
"id": "DDOS:Win32/Stormser.A",
"display_name": "DDOS:Win32/Stormser.A",
"target": "/malware/DDOS:Win32/Stormser.A"
},
{
"id": "ALF:HSTR:DotNET",
"display_name": "ALF:HSTR:DotNET",
"target": null
},
{
"id": "DotNET",
"display_name": "DotNET",
"target": null
},
{
"id": "Script Exploit",
"display_name": "Script Exploit",
"target": null
},
{
"id": "HackTool:Win32/AutoKMS",
"display_name": "HackTool:Win32/AutoKMS",
"target": "/malware/HackTool:Win32/AutoKMS"
},
{
"id": "Xanfpezes.A",
"display_name": "Xanfpezes.A",
"target": null
},
{
"id": "Trojan:Win32/Gandcrab",
"display_name": "Trojan:Win32/Gandcrab",
"target": "/malware/Trojan:Win32/Gandcrab"
},
{
"id": "Win.Trojan.Generic-9862772-0",
"display_name": "Win.Trojan.Generic-9862772-0",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBL!MTB",
"display_name": "Trojan:Win32/Zbot.SIBL!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBL!MTB"
},
{
"id": "Win32/Nemucod",
"display_name": "Win32/Nemucod",
"target": null
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"target": null
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Win.Malware.Kolab-9885903-0",
"display_name": "Win.Malware.Kolab-9885903-0",
"target": null
},
{
"id": "Win.Malware (30)",
"display_name": "Win.Malware (30)",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"target": null
},
{
"id": "E5",
"display_name": "E5",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 6232,
"URL": 24908,
"hostname": 7993,
"FileHash-SHA256": 11128,
"email": 6,
"FileHash-MD5": 1054,
"FileHash-SHA1": 932,
"SSLCertFingerprint": 14,
"CIDR": 3,
"CVE": 3
},
"indicator_count": 52273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "208 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893eee9bf1b30e08d1a6d8e",
"name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood",
"description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.",
"modified": "2025-09-05T23:02:52.811000",
"created": "2025-08-07T00:10:17.696000",
"tags": [
"address google",
"safe browsing",
"united",
"typeof",
"passive dns",
"body doctype",
"nreum",
"date",
"gmt server",
"apache x",
"cnection",
"content type",
"span",
"ok transfer",
"encoding",
"x powered",
"unknown soa",
"unknown ns",
"showing",
"entries",
"next associated",
"urls show",
"body",
"encrypt",
"search",
"ip address",
"creation date",
"record value",
"present jul",
"present may",
"present apr",
"certificate",
"present aug",
"present feb",
"present dec",
"present nov",
"error",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"pattern match",
"ascii text",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"itre att",
"accept",
"sha256",
"size",
"type data",
"utf8 text",
"document file",
"flag",
"server",
"european union",
"name server",
"tor analysis",
"dns requests",
"domain address",
"ii llc",
"windir",
"openurl c",
"prefetch2",
"show process",
"ogoogle trust",
"network traffic",
"organization",
"elton avundano",
"object",
"title object",
"header http2",
"returnurl",
"texas",
"rsa ov",
"ssl ca",
"status",
"australia",
"netherlands",
"urls",
"gmt path",
"hostname add",
"pulse submit",
"present oct",
"e safe",
"results jul",
"response ip",
"present jan",
"name servers",
"verdict",
"domain",
"files ip",
"address domain",
"xhr start",
"xhr load",
"aaaa",
"read c",
"show",
"port",
"destination",
"high",
"delete",
"outbound m3",
"copy",
"write",
"persistence",
"execution",
"malware",
"generic",
"unknown",
"present mar",
"dynamicloader",
"wine emulator",
"dynamic",
"medium",
"read",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"dnssec",
"domain name",
"solutions",
"llc status",
"next passive",
"dns status",
"hostname query",
"files show",
"date hash",
"avast avg",
"overview ip",
"address",
"related nids",
"files location",
"flag united",
"hostname",
"files domain",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"virtool",
"win64",
"defense evasion",
"t1480 execution",
"file defense",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"file discovery",
"utf8",
"crlf line",
"a domains",
"script urls",
"link",
"unknown aaaa",
"meta",
"atom",
"results jan",
"present",
"present sep",
"akamai",
"asn as16625",
"less whois",
"registrar",
"http",
"france flag",
"france hostname",
"files related",
"url analysis",
"files",
"location france",
"detailed error",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"moved",
"name",
"perfect privacy",
"error jul",
"next related",
"domains show",
"domain related",
"url add",
"pulse pulses",
"hosting",
"reverse dns",
"france asn",
"as16276",
"dns resolutions",
"datacenter",
"regopenkeyexa",
"regsetvalueexa",
"windows nt",
"regdword",
"hostile",
"service",
"delphi",
"next",
"pulses none",
"related tags",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"review",
"data upload",
"extraction",
"khtml",
"gecko",
"olet",
"cnlet",
"tlsv1",
"hacktool",
"push",
"ms windows",
"intel",
"pe32",
"users",
"precreate read",
"ransom",
"code",
"installer",
"june",
"media",
"autorun",
"next yara",
"detections name",
"aspackv2xxx",
"eu alexey",
"alerts",
"pe file",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"april",
"packing t1045",
"t1045",
"t1060",
"registry run",
"keys",
"user execution",
"icmp traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"URL": 6245,
"hostname": 2264,
"FileHash-SHA256": 1857,
"FileHash-SHA1": 491,
"email": 9,
"FileHash-MD5": 573,
"SSLCertFingerprint": 16
},
"indicator_count": 12587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://wallet.pagsmile.com/index.html",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://wallet.pagsmile.com/index.html",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776703021.5179017
}