{ "type": "URL", "indicator": "https://wiki.ad-maven.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://wiki.ad-maven.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4098394719, "indicator": "https://wiki.ad-maven.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69560fa62bddc3d965359168", "name": "Mirai H5DATACENTERS.COM \u2022 Regis University Blackout | Extranet", "description": "It was Data Center 5. \nH5DATACENTERS.COM \u2022 Regis University Blackout PrometheusIntelligenceTechnology.com - Extranet. Forced out of RU for finding malicious link that targeted , tracked ,conversations , behavior, etc., \u201cNo one willingly signed up to be tracked.\u201dis what Tsara told Dean Archer. He said he\u2019d never seen anything like this in his life. RU ignored the risks Tsara cautioned could irreparably damage incoming students college experience and negatively impact their future. I just hope the many students who attended do not continue to suffer. Guess who the villain was? The truth teller. \n\nToday activity has stepped up. Somehow the PIT Pulse has caused a crusade of aggressive following and investigation. \n\nThere may be 10,000 vs 1 in this battle. But the One is God.", "modified": "2026-01-31T03:04:09.490000", "created": "2026-01-01T06:09:42.057000", "tags": [ "http", "files related", "related tags", "ipv4", "ccus asnas20029", "urls", "domain", "files ip", "address domain", "ip whois", "passive dns", "gmt path", "hostname add", "files", "united", "a li", "trackingpin a", "ip address", "unknown aaaa", "error", "back", "darkness", "present sep", "a domains", "script urls", "unknown ns", "script domains", "meta", "apache", "body doctype", "gmt server", "url analysis", "path", "accept", "pragma", "west domains", "present dec", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "data upload", "extraction", "found", "datacenter", "hosting", "vps reverse", "america united", "america asn", "as398101", "body html", "head title", "title", "status", "name servers", "failed", "all se", "enter sc", "type", "extra data", "referen", "manualv add", "indicator data", "port", "destination", "south korea", "china as4134", "taiwan as3462", "as3786 lg", "as4766 korea", "as9318 sk", "high", "tcp syn", "trojan", "pegasus", "malware", "unknown", "search", "present jan", "pur sta", "uni idc", "cao oti", "dsp cor", "body", "win32", "united states", "pulse tags", "palantir", "ad maven", "technology", "url https", "url http", "indicator role", "title added", "active related", "Palantir", "Ad-Maven", "Palantir", "Ad- Maven", "Prometheus Intelligence Technology", "skynet", "starfield tech", "flock", "report spam", "palantir ad", "maven", "botnet", "created", "days ago", "education", "tsara", "mirai", "regis", "brashears", "discovery", "universities", "tsara brashears", "close", "stop", "ransom", "capture", "denver" ], "references": [ "H5DATACENTERS.COM Name Servers: NS74.DOMAINCONTROL.COM", "https://prometheusintelligencetechnology.com/pit/", "https://prometheusintelligencetechnology.com/404javascript.js", "https://www.secureserver.net/default404.aspx", "http://ocsp.starfieldtech.com/ 443 Certificate", "https://www.secureserver.net/default404.aspx Server: Microsoft-IIS/7.0", "Set-Cookie: market=en-US; domain=secureserver.net; expires=path=/ P3P:", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "Powered-By: ARR/2.5 X-Powered-By: ASP.NET", "href= here /a . /h2 /body /html 443 Header \u2022 HTTP/1.1 302 Found Content-Length: 161", "Location: policyref=\"/w3c/p3p.xml\", CP=\"COM X-P3P: policyref=\"/w3c/p3p.xml\", CP=\"COM", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "(Date: Tue, 13 Jun 2017 10:21:34 GMT 443 )", "Certificate Crldistributionpoints", "http://crl.starfieldtech.com/sfig2s2-0.crl 443", "Certificate Subjectaltname\t*.secureserver.net 443 Certificate Subjectaltname\tsecureserver.net", "443 Certificate Notbefore\tAug 25 16:21:59 2014 GMT 443 Certificate Caissuers", "Serialnumber\t27B78B2246C9C1 443 Certificate Notafter \u2022 Aug 25 16:21:59 2017 GMT 443", "Certificate Version 3 443 Certificate Subject\tUS 443 Certificate Subject\tArizona 443", "Certificate Subject Scottsdale 443 Certificate Subject\tSpecial Domain Services, LLC 443", "Certificate Issuer\tStarfield Technologies, Inc. 443 Certificate Issuer", "http://certs.starfieldtech.com/repository/ 443", "Certificate Issuer: Starfield Secure Certificate Authority - G2 443 Title: Object moved 443", "A Domains \u2022 www.secureserver.net 443 Certificate", "Object moved /title /head body h2 Object moved to a href= http://www.secureserver.net/default404.aspx", "80 Body\t here /a . /h2 /body /html 80 Header\tHTTP/1.1 302 Found Cache-Control: private", "Content-Length: 160 Location: http://www.secureserver.net/default404.aspx", "Server: Microsoft-IIS/7.0 Set-Cookie: market=en-US; domain=secureserver.net;", "expires=Wed, 13-Jun-2018 10:21:35 GMT; path=/ P3P: policyref=\"/w3c/p3p.xml\",", "CP=\"COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET P3P: policyref=\"/w3c/p3p.xml\", CP=\"", "\u201cCOM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "Date: Tue, 13 Jun 2017 10:21:34 GMT", "Sha1 :e4ca8288d5e4912a00482418765b58a2e22fd5dc", "TrackingPin (Error) A Domains: trackingpin.com \u2022 Domains: forum.trackingpin.org", "PDNS11.DOMAINCONTROL.COM", "https://otx.alienvault.com/indicator/domain/secureserver.net", "Unix.TrojanMirai-7640640-0 IDS Detections Bad Login root login Yara Detections is__elf", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication", "https://den.h5datacenters.com/", "http://prometheusintelligencetechnology.com/pitframeitem=22fsbout-regis-univer", "register.blackgirldroneworld.com (Is this racist)", "https://stetsed.xyz/apple", "Palantir Ad-Maven Palantir, Ad- Maven, Prometheus Intelligence Technology", "Review: Jeffrey Reimer DPT assaulted & egregiously injured a patient at AMS Concentra in Denver, Co", "It\u2019s was sexual and violent. Patient was under the oversight of Mark Montano MD and John T. Sacha MD", "Patient/ Victim unaware of her workers compensation rights.", "Do you line how they spend your tax dollars? Attacking victims? Protecting Corporations!", "Quasi Government, Meta, Twitter , Palantir , Gotham , Christopher P. Ahmann , Brian Sabey", "I haven\u2019t mentioned the hit men they hired.", "Fastly.com", "www.skynetsoftware.com", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroid&ver=1.999&key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&platform=Android®=&devId=92841014150fc3fd&devInfo=&devEmail=&width=480&height=764&owner=19&model=Lenovo A360t", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=2.800&key=2w6i4y1r0sdz6q9gchjcpkal0oaiem4u8ncy3bct1vcr8e6x2w&platform=Android&devId=92841014150fc3fd&width=480&height=764&owner=19&model=Lenovo%20A360t", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=3.700&key=53dbnf9wrz8vc0m5xfve2q1w2r4x8fv0g1b8sfg7qi0rdxck2j&platform=Android&devId=dc9c9a616665e073&width=800&height=561&owner=19&model=VirtualBox", "http://www.skynetsoftware.com/myPlayer/myPlayerDroid.xml" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Virus:Win32/Triusor.A", "display_name": "Virus:Win32/Triusor.A", "target": "/malware/Virus:Win32/Triusor.A" }, { "id": "!InstallCreatorPro_2_0", "display_name": "!InstallCreatorPro_2_0", "target": null }, { "id": "Unix.Trojan.Mirai-7640640-0", "display_name": "Unix.Trojan.Mirai-7640640-0", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win.Downloader", "display_name": "Win.Downloader", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2817, "domain": 487, "hostname": 983, "FileHash-SHA256": 611, "FileHash-MD5": 107, "FileHash-SHA1": 106, "email": 2 }, "indicator_count": 5113, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695035a98f01d94b2598f8ee", "name": "Mirai \u2022 PrometheusIntelligenceTechnology.com - Extranet affected Universities | Regis University", "description": "PrometheusIntelligenceTechnology.com - Extranet. Regis University experienced an outrageous blackout. I know because I was an outside investigator. Tsara Brashears found the links as a redirect on iOS and MacBook Pro devices.\n She seemed to be the the solely impacted Computer Science student. Further research showed canary cookie in server. Regis ignored all and played down the facts. All computers needed replacing. T advised but they tried to clean them. The elevator didn\u2019t work for years. Call 911 if you get stuck. Tsara went out of her way for 5 months warning them until an fool logged in as her but could only login over iexplorer. RU paid a ransom. Tsara was black listed from school. Above 4.0 GPA 3.8 post assault. Just found another PIT link. \n\nIT Security sent her to the FBI because legitimate death threats and plans were found. \n\nAll attacks immediately following assault.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T19:38:17.198000", "tags": [ "united", "unknown aaaa", "accept encoding", "moved", "urls", "files", "encrypt", "passive dns", "all ipv4", "america flag", "america asn", "ransom", "backdoor", "mtb win32", "mirai", "united states", "type indicator", "role title", "container", "ip address", "i div", "h2 p", "h4 p", "data", "desktop", "powerful", "url https", "url http", "indicator role", "active related", "cidr", "types", "indicators show", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "mitre att", "ck matrix", "command decode", "programfiles", "suricata ipv4", "windir", "comspec", "hybrid", "general", "path", "model", "click", "strings", "prometheus", "palantir", "kill list", "tracking", "moon linksys", "router", "emotet", "active", "regis university", "ascii text", "show technique", "pattern match", "sha1", "show process", "root", "local", "development att", "ssl certificate", "extranet", "maven" ], "references": [ "Palantir Extranet -https://prometheusintelligencetechnology.com/", "Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more", "IDS Detections: TheMoon.linksys.router", "We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019", "It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.", "This is directed to target, communicated where target was enrolled- Regis University Denver , Co", "Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC", "Tsara Brashears warned of hack, provided detailed information, provided advice", "\u2018Close enrollment. Get all new devices. Stop using Barracuda.", "Find a way to safely begin from a new server. Work from a Virtual World Class", "Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey", "Old staff slow, foolish but eventually heeded instructions / once it was too late", "Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed", "She was in the botnet already", "Was denied after third enrollment showed false information", "She sought a certificate from Red Rocks. Kurzweil installed due to being disabled", "Bills from nowhere appeared. Again staff said this never happened before left her with the debt.", "Tsara was unable to finish her second degree this way. But found a way.", "I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student", "Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed", "Many pulses are missing. When we first began using this tool PIT was what we researched first", "This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities", "One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .", "She refused. Two weeks later man is parked outside of her residence in a different county and city.", "I\u2019m concerned because they are attacking people associated with her and thins needs to stop", "This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump", "Lots of detail because someone , somewhere is going through this." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "ELF:Mirai-AAL\\ [Trj]", "display_name": "ELF:Mirai-AAL\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 5, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1037, "domain": 161, "hostname": 340, "email": 2, "FileHash-SHA256": 315, "FileHash-MD5": 14, "FileHash-SHA1": 20, "CIDR": 16, "SSLCertFingerprint": 8 }, "indicator_count": 1913, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "83 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d91b1a8f414040bfba430", "name": "Spyware", "description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool", "modified": "2025-08-20T00:01:59.498000", "created": "2025-07-21T01:02:41.049000", "tags": [ "serving ip", "address", "status", "utc na", "utc google", "utc facebook", "custom audience", "tag manager", "ua748443502", "utc gtmwrp73mt", "utc gsrdlm5jnx1", "utc aw937838002", "adsense na", "connect", "file type", "status code", "body length", "kb body", "sha256", "powershell", "b file", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "c0002 wininet", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "cnwe1 ogoogle", "trust", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft", "get http", "request", "windows nt", "win64", "khtml", "gecko", "response", "united", "search", "creation date", "expiration date", "name servers", "unknown soa", "germany unknown", "entries", "pulse submit", "url analysis", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 304, "hostname": 796, "URL": 2590, "FileHash-SHA256": 2735, "FileHash-MD5": 253, "FileHash-SHA1": 144, "email": 1 }, "indicator_count": 6823, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "80 Body\t here /a . /h2 /body /html 80 Header\tHTTP/1.1 302 Found Cache-Control: private", "Was denied after third enrollment showed false information", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication", "https://www.secureserver.net/default404.aspx", "\u201cCOM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "H5DATACENTERS.COM Name Servers: NS74.DOMAINCONTROL.COM", "TrackingPin (Error) A Domains: trackingpin.com \u2022 Domains: forum.trackingpin.org", "href= here /a . /h2 /body /html 443 Header \u2022 HTTP/1.1 302 Found Content-Length: 161", "Certificate Version 3 443 Certificate Subject\tUS 443 Certificate Subject\tArizona 443", "Patient/ Victim unaware of her workers compensation rights.", "IDS Detections: TheMoon.linksys.router", "Many pulses are missing. When we first began using this tool PIT was what we researched first", "Certificate Issuer\tStarfield Technologies, Inc. 443 Certificate Issuer", "http://certs.starfieldtech.com/repository/ 443", "https://stetsed.xyz/apple", "http://crl.starfieldtech.com/sfig2s2-0.crl 443", "Bills from nowhere appeared. Again staff said this never happened before left her with the debt.", "https://otx.alienvault.com/indicator/domain/secureserver.net", "Certificate Issuer: Starfield Secure Certificate Authority - G2 443 Title: Object moved 443", "Unix.TrojanMirai-7640640-0 IDS Detections Bad Login root login Yara Detections is__elf", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=3.700&key=53dbnf9wrz8vc0m5xfve2q1w2r4x8fv0g1b8sfg7qi0rdxck2j&platform=Android&devId=dc9c9a616665e073&width=800&height=561&owner=19&model=VirtualBox", "Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey", "https://prometheusintelligencetechnology.com/404javascript.js", "Palantir Extranet -https://prometheusintelligencetechnology.com/", "A Domains \u2022 www.secureserver.net 443 Certificate", "Do you line how they spend your tax dollars? Attacking victims? Protecting Corporations!", "expires=Wed, 13-Jun-2018 10:21:35 GMT; path=/ P3P: policyref=\"/w3c/p3p.xml\",", "PDNS11.DOMAINCONTROL.COM", "It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.", "I\u2019m concerned because they are attacking people associated with her and thins needs to stop", "www.skynetsoftware.com", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more", "This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities", "She sought a certificate from Red Rocks. Kurzweil installed due to being disabled", "It\u2019s was sexual and violent. Patient was under the oversight of Mark Montano MD and John T. Sacha MD", "Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC", "I haven\u2019t mentioned the hit men they hired.", "Tsara was unable to finish her second degree this way. But found a way.", "Content-Length: 160 Location: http://www.secureserver.net/default404.aspx", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=2.800&key=2w6i4y1r0sdz6q9gchjcpkal0oaiem4u8ncy3bct1vcr8e6x2w&platform=Android&devId=92841014150fc3fd&width=480&height=764&owner=19&model=Lenovo%20A360t", "I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student", "Fastly.com", "Old staff slow, foolish but eventually heeded instructions / once it was too late", "Sha1 :e4ca8288d5e4912a00482418765b58a2e22fd5dc", "Certificate Subjectaltname\t*.secureserver.net 443 Certificate Subjectaltname\tsecureserver.net", "Certificate Subject Scottsdale 443 Certificate Subject\tSpecial Domain Services, LLC 443", "We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019", "https://prometheusintelligencetechnology.com/pit/", "Location: policyref=\"/w3c/p3p.xml\", CP=\"COM X-P3P: policyref=\"/w3c/p3p.xml\", CP=\"COM", "Palantir Ad-Maven Palantir, Ad- Maven, Prometheus Intelligence Technology", "http://ocsp.starfieldtech.com/ 443 Certificate", "https://www.secureserver.net/default404.aspx Server: Microsoft-IIS/7.0", "Powered-By: ARR/2.5 X-Powered-By: ASP.NET", "https://den.h5datacenters.com/", "Certificate Crldistributionpoints", "One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .", "(Date: Tue, 13 Jun 2017 10:21:34 GMT 443 )", "Object moved /title /head body h2 Object moved to a href= http://www.secureserver.net/default404.aspx", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroid&ver=1.999&key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&platform=Android®=&devId=92841014150fc3fd&devInfo=&devEmail=&width=480&height=764&owner=19&model=Lenovo A360t", "Tsara Brashears warned of hack, provided detailed information, provided advice", "Review: Jeffrey Reimer DPT assaulted & egregiously injured a patient at AMS Concentra in Denver, Co", "CP=\"COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "\u2018Close enrollment. Get all new devices. Stop using Barracuda.", "She refused. Two weeks later man is parked outside of her residence in a different county and city.", "This is directed to target, communicated where target was enrolled- Regis University Denver , Co", "http://www.skynetsoftware.com/myPlayer/myPlayerDroid.xml", "Serialnumber\t27B78B2246C9C1 443 Certificate Notafter \u2022 Aug 25 16:21:59 2017 GMT 443", "She was in the botnet already", "register.blackgirldroneworld.com (Is this racist)", "Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed", "Lots of detail because someone , somewhere is going through this.", "Quasi Government, Meta, Twitter , Palantir , Gotham , Christopher P. Ahmann , Brian Sabey", "X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET P3P: policyref=\"/w3c/p3p.xml\", CP=\"", "This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "Date: Tue, 13 Jun 2017 10:21:34 GMT", "Set-Cookie: market=en-US; domain=secureserver.net; expires=path=/ P3P:", "Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed", "Find a way to safely begin from a new server. Work from a Virtual World Class", "http://prometheusintelligencetechnology.com/pitframeitem=22fsbout-regis-univer", "443 Certificate Notbefore\tAug 25 16:21:59 2014 GMT 443 Certificate Caissuers", "Server: Microsoft-IIS/7.0 Set-Cookie: market=en-US; domain=secureserver.net;" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32:ransomx-gen\\ [ransom]", "Elf:mirai-aal\\ [trj]", "Virus:win32/triusor.a", "!installcreatorpro_2_0", "#lowfienabledtcontinueafterunpacking", "Emotet", "Mirai", "Unix.trojan.mirai-7640640-0", "Win.downloader" ], "industries": [ "Civil society", "Education" ], "unique_indicators": 37281 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ad-maven.com", "whois": "http://whois.domaintools.com/ad-maven.com", "domain": "ad-maven.com", "hostname": "wiki.ad-maven.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69560fa62bddc3d965359168", "name": "Mirai H5DATACENTERS.COM \u2022 Regis University Blackout | Extranet", "description": "It was Data Center 5. \nH5DATACENTERS.COM \u2022 Regis University Blackout PrometheusIntelligenceTechnology.com - Extranet. Forced out of RU for finding malicious link that targeted , tracked ,conversations , behavior, etc., \u201cNo one willingly signed up to be tracked.\u201dis what Tsara told Dean Archer. He said he\u2019d never seen anything like this in his life. RU ignored the risks Tsara cautioned could irreparably damage incoming students college experience and negatively impact their future. I just hope the many students who attended do not continue to suffer. Guess who the villain was? The truth teller. \n\nToday activity has stepped up. Somehow the PIT Pulse has caused a crusade of aggressive following and investigation. \n\nThere may be 10,000 vs 1 in this battle. But the One is God.", "modified": "2026-01-31T03:04:09.490000", "created": "2026-01-01T06:09:42.057000", "tags": [ "http", "files related", "related tags", "ipv4", "ccus asnas20029", "urls", "domain", "files ip", "address domain", "ip whois", "passive dns", "gmt path", "hostname add", "files", "united", "a li", "trackingpin a", "ip address", "unknown aaaa", "error", "back", "darkness", "present sep", "a domains", "script urls", "unknown ns", "script domains", "meta", "apache", "body doctype", "gmt server", "url analysis", "path", "accept", "pragma", "west domains", "present dec", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "data upload", "extraction", "found", "datacenter", "hosting", "vps reverse", "america united", "america asn", "as398101", "body html", "head title", "title", "status", "name servers", "failed", "all se", "enter sc", "type", "extra data", "referen", "manualv add", "indicator data", "port", "destination", "south korea", "china as4134", "taiwan as3462", "as3786 lg", "as4766 korea", "as9318 sk", "high", "tcp syn", "trojan", "pegasus", "malware", "unknown", "search", "present jan", "pur sta", "uni idc", "cao oti", "dsp cor", "body", "win32", "united states", "pulse tags", "palantir", "ad maven", "technology", "url https", "url http", "indicator role", "title added", "active related", "Palantir", "Ad-Maven", "Palantir", "Ad- Maven", "Prometheus Intelligence Technology", "skynet", "starfield tech", "flock", "report spam", "palantir ad", "maven", "botnet", "created", "days ago", "education", "tsara", "mirai", "regis", "brashears", "discovery", "universities", "tsara brashears", "close", "stop", "ransom", "capture", "denver" ], "references": [ "H5DATACENTERS.COM Name Servers: NS74.DOMAINCONTROL.COM", "https://prometheusintelligencetechnology.com/pit/", "https://prometheusintelligencetechnology.com/404javascript.js", "https://www.secureserver.net/default404.aspx", "http://ocsp.starfieldtech.com/ 443 Certificate", "https://www.secureserver.net/default404.aspx Server: Microsoft-IIS/7.0", "Set-Cookie: market=en-US; domain=secureserver.net; expires=path=/ P3P:", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "Powered-By: ARR/2.5 X-Powered-By: ASP.NET", "href= here /a . /h2 /body /html 443 Header \u2022 HTTP/1.1 302 Found Content-Length: 161", "Location: policyref=\"/w3c/p3p.xml\", CP=\"COM X-P3P: policyref=\"/w3c/p3p.xml\", CP=\"COM", "\u201cCNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "(Date: Tue, 13 Jun 2017 10:21:34 GMT 443 )", "Certificate Crldistributionpoints", "http://crl.starfieldtech.com/sfig2s2-0.crl 443", "Certificate Subjectaltname\t*.secureserver.net 443 Certificate Subjectaltname\tsecureserver.net", "443 Certificate Notbefore\tAug 25 16:21:59 2014 GMT 443 Certificate Caissuers", "Serialnumber\t27B78B2246C9C1 443 Certificate Notafter \u2022 Aug 25 16:21:59 2017 GMT 443", "Certificate Version 3 443 Certificate Subject\tUS 443 Certificate Subject\tArizona 443", "Certificate Subject Scottsdale 443 Certificate Subject\tSpecial Domain Services, LLC 443", "Certificate Issuer\tStarfield Technologies, Inc. 443 Certificate Issuer", "http://certs.starfieldtech.com/repository/ 443", "Certificate Issuer: Starfield Secure Certificate Authority - G2 443 Title: Object moved 443", "A Domains \u2022 www.secureserver.net 443 Certificate", "Object moved /title /head body h2 Object moved to a href= http://www.secureserver.net/default404.aspx", "80 Body\t here /a . /h2 /body /html 80 Header\tHTTP/1.1 302 Found Cache-Control: private", "Content-Length: 160 Location: http://www.secureserver.net/default404.aspx", "Server: Microsoft-IIS/7.0 Set-Cookie: market=en-US; domain=secureserver.net;", "expires=Wed, 13-Jun-2018 10:21:35 GMT; path=/ P3P: policyref=\"/w3c/p3p.xml\",", "CP=\"COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND\"", "X-Powered-By: ARR/2.5 X-Powered-By: ASP.NET P3P: policyref=\"/w3c/p3p.xml\", CP=\"", "\u201cCOM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND\"", "Date: Tue, 13 Jun 2017 10:21:34 GMT", "Sha1 :e4ca8288d5e4912a00482418765b58a2e22fd5dc", "TrackingPin (Error) A Domains: trackingpin.com \u2022 Domains: forum.trackingpin.org", "PDNS11.DOMAINCONTROL.COM", "https://otx.alienvault.com/indicator/domain/secureserver.net", "Unix.TrojanMirai-7640640-0 IDS Detections Bad Login root login Yara Detections is__elf", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication", "https://den.h5datacenters.com/", "http://prometheusintelligencetechnology.com/pitframeitem=22fsbout-regis-univer", "register.blackgirldroneworld.com (Is this racist)", "https://stetsed.xyz/apple", "Palantir Ad-Maven Palantir, Ad- Maven, Prometheus Intelligence Technology", "Review: Jeffrey Reimer DPT assaulted & egregiously injured a patient at AMS Concentra in Denver, Co", "It\u2019s was sexual and violent. Patient was under the oversight of Mark Montano MD and John T. Sacha MD", "Patient/ Victim unaware of her workers compensation rights.", "Do you line how they spend your tax dollars? Attacking victims? Protecting Corporations!", "Quasi Government, Meta, Twitter , Palantir , Gotham , Christopher P. Ahmann , Brian Sabey", "I haven\u2019t mentioned the hit men they hired.", "Fastly.com", "www.skynetsoftware.com", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroid&ver=1.999&key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&platform=Android®=&devId=92841014150fc3fd&devInfo=&devEmail=&width=480&height=764&owner=19&model=Lenovo A360t", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=2.800&key=2w6i4y1r0sdz6q9gchjcpkal0oaiem4u8ncy3bct1vcr8e6x2w&platform=Android&devId=92841014150fc3fd&width=480&height=764&owner=19&model=Lenovo%20A360t", "http://www.skynetsoftware.com/SNSAuth/appauth.aspx?app=myPlayerDroidPro&ver=3.700&key=53dbnf9wrz8vc0m5xfve2q1w2r4x8fv0g1b8sfg7qi0rdxck2j&platform=Android&devId=dc9c9a616665e073&width=800&height=561&owner=19&model=VirtualBox", "http://www.skynetsoftware.com/myPlayer/myPlayerDroid.xml" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Virus:Win32/Triusor.A", "display_name": "Virus:Win32/Triusor.A", "target": "/malware/Virus:Win32/Triusor.A" }, { "id": "!InstallCreatorPro_2_0", "display_name": "!InstallCreatorPro_2_0", "target": null }, { "id": "Unix.Trojan.Mirai-7640640-0", "display_name": "Unix.Trojan.Mirai-7640640-0", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win.Downloader", "display_name": "Win.Downloader", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2817, "domain": 487, "hostname": 983, "FileHash-SHA256": 611, "FileHash-MD5": 107, "FileHash-SHA1": 106, "email": 2 }, "indicator_count": 5113, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695035a98f01d94b2598f8ee", "name": "Mirai \u2022 PrometheusIntelligenceTechnology.com - Extranet affected Universities | Regis University", "description": "PrometheusIntelligenceTechnology.com - Extranet. Regis University experienced an outrageous blackout. I know because I was an outside investigator. Tsara Brashears found the links as a redirect on iOS and MacBook Pro devices.\n She seemed to be the the solely impacted Computer Science student. Further research showed canary cookie in server. Regis ignored all and played down the facts. All computers needed replacing. T advised but they tried to clean them. The elevator didn\u2019t work for years. Call 911 if you get stuck. Tsara went out of her way for 5 months warning them until an fool logged in as her but could only login over iexplorer. RU paid a ransom. Tsara was black listed from school. Above 4.0 GPA 3.8 post assault. Just found another PIT link. \n\nIT Security sent her to the FBI because legitimate death threats and plans were found. \n\nAll attacks immediately following assault.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T19:38:17.198000", "tags": [ "united", "unknown aaaa", "accept encoding", "moved", "urls", "files", "encrypt", "passive dns", "all ipv4", "america flag", "america asn", "ransom", "backdoor", "mtb win32", "mirai", "united states", "type indicator", "role title", "container", "ip address", "i div", "h2 p", "h4 p", "data", "desktop", "powerful", "url https", "url http", "indicator role", "active related", "cidr", "types", "indicators show", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "mitre att", "ck matrix", "command decode", "programfiles", "suricata ipv4", "windir", "comspec", "hybrid", "general", "path", "model", "click", "strings", "prometheus", "palantir", "kill list", "tracking", "moon linksys", "router", "emotet", "active", "regis university", "ascii text", "show technique", "pattern match", "sha1", "show process", "root", "local", "development att", "ssl certificate", "extranet", "maven" ], "references": [ "Palantir Extranet -https://prometheusintelligencetechnology.com/", "Palantir espionage \u2022 prometheusintelligencetechnology.com \u2022 ad-maven.com \u2022 fastly.com \u2022 Foundry.com \u2022 so many more", "IDS Detections: TheMoon.linksys.router", "We don\u2019t know how Octoseek & ScoreBlie (Team8) became part of \u2018No Problems\u2019", "It\u2019s okay if it\u2019s in there but this is in NO way related to an Alberta University hack.", "This is directed to target, communicated where target was enrolled- Regis University Denver , Co", "Pointed to Data Center 5 Inverness / Denver Tech Center, denies relationship. Seemed to prove originating DC", "Tsara Brashears warned of hack, provided detailed information, provided advice", "\u2018Close enrollment. Get all new devices. Stop using Barracuda.", "Find a way to safely begin from a new server. Work from a Virtual World Class", "Regis needed to close. They treated Brashears as trash after the NEW staff came. Hmm who are tvey", "Old staff slow, foolish but eventually heeded instructions / once it was too late", "Dean is deceased? Was the only staff who insisted that Tsara\u2019s tuition be reimbursed", "She was in the botnet already", "Was denied after third enrollment showed false information", "She sought a certificate from Red Rocks. Kurzweil installed due to being disabled", "Bills from nowhere appeared. Again staff said this never happened before left her with the debt.", "Tsara was unable to finish her second degree this way. But found a way.", "I don\u2019t like finding these remnants. I don\u2019t know why extranet was needed for this Brilliant student", "Professors asked to use her papers. \u2018Sure\u2019 she wasn\u2019t impressed", "Many pulses are missing. When we first began using this tool PIT was what we researched first", "This is when Tsara was interrogated by 2 men at Barnes & No Ken regarding her technical abilities", "One of the interrogators, asked her to be his girlfriend (fake ) tried to move her to a new location .", "She refused. Two weeks later man is parked outside of her residence in a different county and city.", "I\u2019m concerned because they are attacking people associated with her and thins needs to stop", "This is dangerous. What is law enforcement for? They are probably controlled by Palantir as is Trump", "Lots of detail because someone , somewhere is going through this." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "ELF:Mirai-AAL\\ [Trj]", "display_name": "ELF:Mirai-AAL\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 5, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1037, "domain": 161, "hostname": 340, "email": 2, "FileHash-SHA256": 315, "FileHash-MD5": 14, "FileHash-SHA1": 20, "CIDR": 16, "SSLCertFingerprint": 8 }, "indicator_count": 1913, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "83 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d91b1a8f414040bfba430", "name": "Spyware", "description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool", "modified": "2025-08-20T00:01:59.498000", "created": "2025-07-21T01:02:41.049000", "tags": [ "serving ip", "address", "status", "utc na", "utc google", "utc facebook", "custom audience", "tag manager", "ua748443502", "utc gtmwrp73mt", "utc gsrdlm5jnx1", "utc aw937838002", "adsense na", "connect", "file type", "status code", "body length", "kb body", "sha256", "powershell", "b file", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "c0002 wininet", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "cnwe1 ogoogle", "trust", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft", "get http", "request", "windows nt", "win64", "khtml", "gecko", "response", "united", "search", "creation date", "expiration date", "name servers", "unknown soa", "germany unknown", "entries", "pulse submit", "url analysis", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 304, "hostname": 796, "URL": 2590, "FileHash-SHA256": 2735, "FileHash-MD5": 253, "FileHash-SHA1": 144, "email": 1 }, "indicator_count": 6823, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://wiki.ad-maven.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://wiki.ad-maven.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776675208.522483 }