{ "type": "URL", "indicator": "https://yi2.blownawayvaping.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://yi2.blownawayvaping.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3920821414, "indicator": "https://yi2.blownawayvaping.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c6026160a826c170a8ce93", "name": "Mira - Targeted attacks that demolished victim/s Media Platforms", "description": "Targeted attacks that demolished victim/s Media Platforms. \nDangerous crowd, bullied till the end, murder attempted hit by a vehicle many times on a one way. 22 year old who walked after attempting to drive her off I-25 Denver. Suffered more life threatening injuries. \nMonitored target. Crime: unwilling female trapped under nasty physical therapists crotch. No charges, no questions. No treatments except one SCI surgery that was 5 years too late. \nDenver is nuts. Denver law enforcement , quasi government , CBI & attorneys are corrupted. There\u2019s something to the wicked DIA theories. I wonder how many others have been silenced to death behind corporate greed. The PT who caused all\nof this is thoroughly treated as a victim. Family moved to safety? She was never the threat. TLB will always rest assured sheltered in the arms of God like she believed.\n#theft #rip #paypal #drive-by_compromise #mira #spotify #youtube #trulymissed", "modified": "2025-10-13T22:27:44.477000", "created": "2025-09-13T23:46:41.355000", "tags": [ "http traffic", "iframe src", "https http", "re att", "access ta0001", "t1189 severity", "info found", "command", "control ta0011", "protocol t1071", "info", "resolved ips", "ip traffic", "pattern domains", "pattern urls", "tls sni", "get http", "dns resolutions", "windows nt", "win64", "khtml", "gecko", "response", "user", "rules not", "registry keys", "detections not", "found mitre", "info ids", "sandbox", "number", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "ip address", "port", "http", "url data", "accept", "gmt ifnonematch", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "udp connections", "http requests", "cname", "nxdomain", "involved direct", "country name", "parent pid", "full path", "command line", "t1055 process", "layer protocol", "access t1189", "defense evasion", "discovery t1082", "control t1573", "youtube", "spotify", "spotify", "colorado blows" ], "references": [ "https://forward.ro/", "https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh", "http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Colorado corruption will be exposed one day.", "Discovery of targets pirated music led to her website down the next day! After 9 years?", "These greedy people & government grifters steal money from victims, including life insurance policies", "Stop following targets relatives everywhere , associates. Stop circling former residence..", "Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary", "Targets mother died in her bed in Castke Rock, Douglasc County, Colorado", "Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.", "Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .", "This information was brought to target by concerned entities who handled body.", "Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.", "First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.", "Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.", "Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "All", "display_name": "All", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Financial", "Media", "Targets" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 781, "hostname": 339, "FileHash-SHA256": 697, "FileHash-MD5": 112, "domain": 152, "FileHash-SHA1": 2 }, "indicator_count": 2083, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66933b9c8be1a5b9e24de941", "name": "Worm:Win32/Enosch - Affecting YouTube, Google and more", "description": "", "modified": "2024-08-13T02:01:24.759000", "created": "2024-07-14T02:44:44.457000", "tags": [ "june", "october", "july", "tracking", "december", "apple ios", "relacionada", "partru", "plugx", "cryptbot", "hacktool", "lockbit", "as8075", "united", "slot1", "mascore2", "bcnt1", "nct1", "arc1", "ems1", "auth1", "localeenus", "date", "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "unknown", "asnone united", "as14061", "status", "creation date", "name servers", "cname", "next", "passive dns", "as15169 google", "gmt cache", "sameorigin", "443 ma2592000", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "as63949 linode", "html", "gmt content", "moved", "encrypt", "body", "record value", "emails", "domain name", "error", "code", "algorithm", "key usage", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "identifier", "x509v3 crl", "first", "as6185 apple", "japan", "as8068", "as714 apple", "aaaa", "as32244 liquid", "nxdomain", "as44273 host", "script urls", "meta", "as31154 toyota", "belgium unknown", "belgium", "pulse submit", "url analysis", "win32 exe", "android", "servers", "files", "name", "domain", "ashley", "sylvia", "sonja", "file type", "karin", "gina", "christine", "kathrin", "sandy" ], "references": [ "http://www.google.com/images/errors/robot.png", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "nr-data.net [Apple Private Data Collection]", "47.courier-push-apple.com.akadns.net", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 146, "FileHash-SHA1": 126, "FileHash-SHA256": 1422, "URL": 377, "domain": 889, "hostname": 418, "SSLCertFingerprint": 1, "email": 10 }, "indicator_count": 3389, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.", "Discovery of targets pirated music led to her website down the next day! After 9 years?", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "Apple - 162.55.158.153", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "This information was brought to target by concerned entities who handled body.", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "https://forward.ro/", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "https://www.passcreator.com/en/apple-wallet-passes", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target.", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.", "Subject: DE Certificate Subject: Berlin Certificate Subject", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "apple-business.cancom.at", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys", "nr-data.net [Apple Private Data Collection]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "47.courier-push-apple.com.akadns.net", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "http://www.google.com/images/errors/robot.png", "Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Stop following targets relatives everywhere , associates. Stop circling former residence..", "Targets mother died in her bed in Castke Rock, Douglasc County, Colorado", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "http://netuser.joymeng.com/charge_apple/notify", "http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "Colorado corruption will be exposed one day.", "Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .", "These greedy people & government grifters steal money from victims, including life insurance policies" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Et", "Trojan:win32/blihan.a", "All", "Crypt2.azdi", "Trojan:win32/salgorea", "Pws:win32/qqpass", "Win.trojan.generic", "Worm:win32/enosch!atmn", "Androp", "Trojan:win32/aenjaris.al!bit", "Worm:win32/autorun.xfv", "Win.malware.hd0kzai-9985588-0", "Trojan:win32/salgorea.c!mtb", "Win.malware.barys-6840738-0", "Trojandropper:win32/muldrop.v!mtb", "Trojan:win32/eyestye.t", "Win.trojan.zegost", "Trojandropper:win32/vb.il", "Win32/trickler", "Trojan:win32/qqpass", "Trojan:win32/agent.ag!mtb", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Unruy", "Inject.brdv", "Cve 2007695", "Worm:win32/yuner.a", "Ddos:linux/lightaidra", "Wormwin32/mofksys.rnd!mtb", "Trojan:win32/glupteba.mt!mtb", "#lowfi:tool:win32/vbstoexev2e", "Tel:msil/dlsocconsend", "Win32:androp" ], "industries": [ "Government", "Media", "Technology", "Targets", "Financial" ], "unique_indicators": 17068 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/blownawayvaping.com", "whois": "http://whois.domaintools.com/blownawayvaping.com", "domain": "blownawayvaping.com", "hostname": "yi2.blownawayvaping.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c6026160a826c170a8ce93", "name": "Mira - Targeted attacks that demolished victim/s Media Platforms", "description": "Targeted attacks that demolished victim/s Media Platforms. \nDangerous crowd, bullied till the end, murder attempted hit by a vehicle many times on a one way. 22 year old who walked after attempting to drive her off I-25 Denver. Suffered more life threatening injuries. \nMonitored target. Crime: unwilling female trapped under nasty physical therapists crotch. No charges, no questions. No treatments except one SCI surgery that was 5 years too late. \nDenver is nuts. Denver law enforcement , quasi government , CBI & attorneys are corrupted. There\u2019s something to the wicked DIA theories. I wonder how many others have been silenced to death behind corporate greed. The PT who caused all\nof this is thoroughly treated as a victim. Family moved to safety? She was never the threat. TLB will always rest assured sheltered in the arms of God like she believed.\n#theft #rip #paypal #drive-by_compromise #mira #spotify #youtube #trulymissed", "modified": "2025-10-13T22:27:44.477000", "created": "2025-09-13T23:46:41.355000", "tags": [ "http traffic", "iframe src", "https http", "re att", "access ta0001", "t1189 severity", "info found", "command", "control ta0011", "protocol t1071", "info", "resolved ips", "ip traffic", "pattern domains", "pattern urls", "tls sni", "get http", "dns resolutions", "windows nt", "win64", "khtml", "gecko", "response", "user", "rules not", "registry keys", "detections not", "found mitre", "info ids", "sandbox", "number", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "ip address", "port", "http", "url data", "accept", "gmt ifnonematch", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "udp connections", "http requests", "cname", "nxdomain", "involved direct", "country name", "parent pid", "full path", "command line", "t1055 process", "layer protocol", "access t1189", "defense evasion", "discovery t1082", "control t1573", "youtube", "spotify", "spotify", "colorado blows" ], "references": [ "https://forward.ro/", "https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh", "http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "Colorado corruption will be exposed one day.", "Discovery of targets pirated music led to her website down the next day! After 9 years?", "These greedy people & government grifters steal money from victims, including life insurance policies", "Stop following targets relatives everywhere , associates. Stop circling former residence..", "Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary", "Targets mother died in her bed in Castke Rock, Douglasc County, Colorado", "Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.", "Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .", "This information was brought to target by concerned entities who handled body.", "Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.", "First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.", "Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.", "Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "All", "display_name": "All", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Financial", "Media", "Targets" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 781, "hostname": 339, "FileHash-SHA256": 697, "FileHash-MD5": 112, "domain": 152, "FileHash-SHA1": 2 }, "indicator_count": 2083, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66933b9c8be1a5b9e24de941", "name": "Worm:Win32/Enosch - Affecting YouTube, Google and more", "description": "", "modified": "2024-08-13T02:01:24.759000", "created": "2024-07-14T02:44:44.457000", "tags": [ "june", "october", "july", "tracking", "december", "apple ios", "relacionada", "partru", "plugx", "cryptbot", "hacktool", "lockbit", "as8075", "united", "slot1", "mascore2", "bcnt1", "nct1", "arc1", "ems1", "auth1", "localeenus", "date", "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "unknown", "asnone united", "as14061", "status", "creation date", "name servers", "cname", "next", "passive dns", "as15169 google", "gmt cache", "sameorigin", "443 ma2592000", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "as63949 linode", "html", "gmt content", "moved", "encrypt", "body", "record value", "emails", "domain name", "error", "code", "algorithm", "key usage", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "identifier", "x509v3 crl", "first", "as6185 apple", "japan", "as8068", "as714 apple", "aaaa", "as32244 liquid", "nxdomain", "as44273 host", "script urls", "meta", "as31154 toyota", "belgium unknown", "belgium", "pulse submit", "url analysis", "win32 exe", "android", "servers", "files", "name", "domain", "ashley", "sylvia", "sonja", "file type", "karin", "gina", "christine", "kathrin", "sandy" ], "references": [ "http://www.google.com/images/errors/robot.png", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "nr-data.net [Apple Private Data Collection]", "47.courier-push-apple.com.akadns.net", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 146, "FileHash-SHA1": 126, "FileHash-SHA256": 1422, "URL": 377, "domain": 889, "hostname": 418, "SSLCertFingerprint": 1, "email": 10 }, "indicator_count": 3389, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://yi2.blownawayvaping.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://yi2.blownawayvaping.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776682384.2159534 }