{
"type": "URL",
"indicator": "https://www.youtube.sg",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://www.youtube.sg",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3849910437,
"indicator": "https://www.youtube.sg",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 8,
"pulses": [
{
"id": "6946fdbb4a22dc28d60d6ca2",
"name": "Expiro - DoomScroller \u2022 BrowseHappy | Part 2",
"description": "Pulse: \u00c2\u00a31.1bn.io.com, a search engine for the most popular websites on the planet, is now available on Facebook, Twitter, Instagram and YouTube.",
"modified": "2026-01-19T19:04:41.997000",
"created": "2025-12-20T19:49:15.713000",
"tags": [
"doomscroller",
"browsehappy",
"xpirat",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"united",
"tlsv1",
"execution",
"dock",
"write",
"persistence",
"encrypt",
"meta",
"browse happy",
"worry",
"body doctype",
"online",
"gmt server",
"a domains",
"ipv4 add",
"win32",
"trojandropper",
"title",
"date",
"unknown",
"post http",
"cryptexportkey",
"cryptgenkey",
"calgrc4",
"expiro",
"temple",
"xserver",
"adversaries",
"worry wordpress"
],
"references": [
"Xpirat = doomscroller.io"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Xpirat",
"display_name": "Xpirat",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1595",
"name": "Active Scanning",
"display_name": "T1595 - Active Scanning"
},
{
"id": "T1423",
"name": "Network Service Scanning",
"display_name": "T1423 - Network Service Scanning"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5576,
"domain": 1502,
"FileHash-MD5": 116,
"FileHash-SHA1": 73,
"FileHash-SHA256": 1041,
"SSLCertFingerprint": 1,
"hostname": 1951
},
"indicator_count": 10260,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f04e9fa3d782118e94aac",
"name": "LevelBlue - Open Threat Exchange - Delete AppDeployed",
"description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.",
"modified": "2026-01-01T15:04:20.907000",
"created": "2025-12-02T15:25:29.158000",
"tags": [
"levelblue",
"open threat",
"dynamicloader",
"tlsv1",
"high",
"msie",
"windows nt",
"delete c",
"fwlink",
"stream",
"powershell",
"write",
"malware",
"local",
"united",
"flag",
"date",
"server",
"crazy egg",
"name server",
"gmt flag",
"domain address",
"markmonitor",
"enom",
"sugges",
"onv incude",
"data upload",
"find s",
"extraction",
"types",
"type",
"indicator",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"contacted hosts",
"search",
"entries",
"read c",
"medium",
"memcommit",
"tls handshake",
"failure",
"module load",
"next",
"execution",
"dock",
"capture",
"persistence",
"copy",
"unknown",
"suricata alert",
"et info",
"bad traffic",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"file defense",
"write c",
"x02x82",
"xe6x15c6",
"x16f",
"xc0xc0xc0",
"revengerat",
"guard",
"service",
"encrypt",
"entries yara",
"delphi",
"win32",
"jordan",
"delete app"
],
"references": [
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vmprotect-9880726-0",
"display_name": "Win.Malware.Vmprotect-9880726-0",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Legal"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4624,
"FileHash-SHA256": 2021,
"FileHash-MD5": 51,
"FileHash-SHA1": 20,
"SSLCertFingerprint": 10,
"hostname": 1433,
"domain": 728
},
"indicator_count": 8887,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "185 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "186 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e576d419524d75af35a36e",
"name": "FormBook",
"description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:23:00.177000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e57f32581a900dfb272d05",
"name": "FormBook | 172.31.13.249",
"description": "",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:58:42.074000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e576d419524d75af35a36e",
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://es.pornhat.com/models/the-sex-creator/",
"iamrobert.com Y.A.S.",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"Login privileges",
"gstatic.com",
"I am very upset. Whoever is doing this is sick.",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"Target agreed and complied with all lie detector measures.",
"If someone is believed to be a threat they have right to due process.",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://meumundogay-com.sexogratis.page/locker",
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"172.31.13.249",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Unsupported/Fake Windows NT Version 5.0",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Xpirat = doomscroller.io",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"There is fear in silence or speaking out",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojandownloader:win32/upatre.a",
"Trojanspy:win32/banker.ly",
"Win.malware.vmprotect-9880726-0",
"Upatre",
"Asacky",
"Win32:cleaman-k\\ [trj]",
"Win32:evo",
"Malwarex",
"Expiro",
"Formbook",
"Backdoor:win32/plugx.n!dha",
"Win32:dropper",
"Trojan:win32/antavmu.d",
"Win32:trojanx-gen\\ [trj]",
"Other malware",
"Win32:trojan",
"Trojan:win32/vflooder!rfn",
"Malware",
"Win32:malwarex-gen\\ [trj]",
"Trojandownloader:win32/upatre",
"Pws:msil/dcstl.gd!mtb",
"Ymacco",
"Xpirat",
"Hematite",
"Trojan:win32/qbot.r!mtb",
"Bancos",
"Trojan:win32/dorv.b!rfn",
"Malware + code overlap",
"Win32:malwarex",
"Trojandropper:win32/bcryptinject.b!msr",
"Virtool:win32/ceeinject.akz!bit",
"Trojan:bat/musecador",
"Win.malware.jaik-9968280-0",
"Trojan:win32/zombie.a",
"Worm:win32/mofksys.rnd!mtb",
"#lowfi:hstr:msil/possibledownloader.s01",
"Apnic",
"Trojan:win32/qqpass"
],
"industries": [
"Technology",
"Legal",
"Media"
],
"unique_indicators": 56713
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/youtube.sg",
"whois": "http://whois.domaintools.com/youtube.sg",
"domain": "youtube.sg",
"hostname": "www.youtube.sg"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 8,
"pulses": [
{
"id": "6946fdbb4a22dc28d60d6ca2",
"name": "Expiro - DoomScroller \u2022 BrowseHappy | Part 2",
"description": "Pulse: \u00c2\u00a31.1bn.io.com, a search engine for the most popular websites on the planet, is now available on Facebook, Twitter, Instagram and YouTube.",
"modified": "2026-01-19T19:04:41.997000",
"created": "2025-12-20T19:49:15.713000",
"tags": [
"doomscroller",
"browsehappy",
"xpirat",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"united",
"tlsv1",
"execution",
"dock",
"write",
"persistence",
"encrypt",
"meta",
"browse happy",
"worry",
"body doctype",
"online",
"gmt server",
"a domains",
"ipv4 add",
"win32",
"trojandropper",
"title",
"date",
"unknown",
"post http",
"cryptexportkey",
"cryptgenkey",
"calgrc4",
"expiro",
"temple",
"xserver",
"adversaries",
"worry wordpress"
],
"references": [
"Xpirat = doomscroller.io"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Xpirat",
"display_name": "Xpirat",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1595",
"name": "Active Scanning",
"display_name": "T1595 - Active Scanning"
},
{
"id": "T1423",
"name": "Network Service Scanning",
"display_name": "T1423 - Network Service Scanning"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5576,
"domain": 1502,
"FileHash-MD5": 116,
"FileHash-SHA1": 73,
"FileHash-SHA256": 1041,
"SSLCertFingerprint": 1,
"hostname": 1951
},
"indicator_count": 10260,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "89 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692f04e9fa3d782118e94aac",
"name": "LevelBlue - Open Threat Exchange - Delete AppDeployed",
"description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.",
"modified": "2026-01-01T15:04:20.907000",
"created": "2025-12-02T15:25:29.158000",
"tags": [
"levelblue",
"open threat",
"dynamicloader",
"tlsv1",
"high",
"msie",
"windows nt",
"delete c",
"fwlink",
"stream",
"powershell",
"write",
"malware",
"local",
"united",
"flag",
"date",
"server",
"crazy egg",
"name server",
"gmt flag",
"domain address",
"markmonitor",
"enom",
"sugges",
"onv incude",
"data upload",
"find s",
"extraction",
"types",
"type",
"indicator",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"contacted hosts",
"search",
"entries",
"read c",
"medium",
"memcommit",
"tls handshake",
"failure",
"module load",
"next",
"execution",
"dock",
"capture",
"persistence",
"copy",
"unknown",
"suricata alert",
"et info",
"bad traffic",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"file defense",
"write c",
"x02x82",
"xe6x15c6",
"x16f",
"xc0xc0xc0",
"revengerat",
"guard",
"service",
"encrypt",
"entries yara",
"delphi",
"win32",
"jordan",
"delete app"
],
"references": [
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vmprotect-9880726-0",
"display_name": "Win.Malware.Vmprotect-9880726-0",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Legal"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4624,
"FileHash-SHA256": 2021,
"FileHash-MD5": 51,
"FileHash-SHA1": 20,
"SSLCertFingerprint": 10,
"hostname": 1433,
"domain": 728
},
"indicator_count": 8887,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "185 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "186 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e576d419524d75af35a36e",
"name": "FormBook",
"description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:23:00.177000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e57f32581a900dfb272d05",
"name": "FormBook | 172.31.13.249",
"description": "",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:58:42.074000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e576d419524d75af35a36e",
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "746 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://www.youtube.sg",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://www.youtube.sg",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776619817.4241128
}