{
"type": "Domain",
"indicator": "letras.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/letras.com",
"alexa": "http://www.alexa.com/siteinfo/letras.com",
"indicator": "letras.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 2729931750,
"indicator": "letras.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 15,
"pulses": [
{
"id": "69d747314a8fc4fa30250fe9",
"name": "VirusTotal report\n for program.exe",
"description": " Report date relevance: May 18 2025.",
"modified": "2026-04-09T07:29:31.205000",
"created": "2026-04-09T06:29:05.116000",
"tags": [
"explorer",
"maxime thiebaut",
"files",
"imageendswith",
"windows sccm",
"pe file",
"drops pe",
"sample",
"drops",
"pe32",
"intel",
"ms windows",
"infects",
"found",
"mitre attack",
"persistence",
"info",
"next",
"windows sandbox",
"calls clear",
"users",
"nothing",
"registry keys",
"change",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"bit locker hijacked",
"illegal one drive cross tenant",
"Esign violation",
"non secure workflow",
"wiper",
"MDMenrollment misuse",
"broken seal",
"pdfkit.net DMV",
"vzwbiz",
"modified after creation non secure workflow",
"Docusign exploited by non secure workflow",
"Human Error/Spyware/Risk+",
"Abobe Exploited by non secure process",
"CaRoot Cert Abuse",
"cryptography unsound"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "PathWiper",
"display_name": "PathWiper",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [
"Government",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 81,
"URL": 421,
"hostname": 491,
"FileHash-MD5": 477,
"FileHash-SHA1": 298,
"FileHash-SHA256": 719,
"IPv4": 177,
"CVE": 5,
"email": 12,
"CIDR": 2
},
"indicator_count": 2683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "694dc80ac6e7fd5474b316a1",
"name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal",
"description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |",
"modified": "2026-01-24T22:05:13.068000",
"created": "2025-12-25T23:26:02.712000",
"tags": [
"hash avast",
"avg clamav",
"msdefender feb",
"url http",
"url https",
"zipcode",
"active related",
"cage01195 dec",
"passports",
"ipv4",
"active",
"irs",
"apple",
"role title",
"indicator role",
"malware attacks",
"find encrypted",
"lumen",
"fastly",
"create c",
"read c",
"delete",
"write",
"default",
"medium",
"rgba",
"dock",
"execution",
"xport",
"united",
"passive dns",
"urls",
"expiration date",
"unknown ns",
"unknown aaaa",
"pulse pulses",
"merit",
"dod network",
"type indicator",
"related pulses",
"name",
"name servers",
"ffffff",
"ip address",
"emails",
"object",
"clsid6bf52a52",
"cookie",
"meta",
"united kingdom",
"germany",
"russia",
"search",
"added active",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"href",
"pattern match",
"ascii text",
"ck id",
"mitre att",
"ck matrix",
"t1071",
"general",
"local",
"path",
"iframe",
"click",
"beginstring",
"segoe ui",
"null",
"refresh",
"span",
"hybrid",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"data upload",
"extraction",
"failed",
"include data",
"entries",
"unicode",
"high",
"memcommit",
"next",
"flag",
"process details",
"path expiresthu",
"moved",
"gmt set",
"domain",
"httponly path",
"encrypt",
"leaseweb",
"iowa",
"title added",
"bad traffic",
"et info",
"tls handshake",
"failure",
"command decode",
"suricata stream",
"circle",
"f5f8fa",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"suricata http",
"windows nt",
"date",
"ips initial",
"prefetch8",
"localappdata",
"prefetch1",
"programfiles",
"edge",
"access att",
"t1566 phishing",
"initial access",
"show process",
"show technique",
"process",
"t1057",
"contacted",
"ck techniques",
"evasion att",
"body",
"report spam",
"apple",
"ddos",
"irs created",
"hours ago",
"white",
"apple user",
"industries",
"government",
"finance",
"trojandropper",
"appleservice",
"mirai",
"trojan",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"alerts",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"file score",
"medium risk",
"copy",
"richhash",
"finding notes",
"clamav malware",
"files matching",
"number",
"sample analysis",
"samples show",
"date hash",
"yara rule",
"msie",
"t1063",
"windows",
"malware",
"detected",
"https domain",
"tls sni",
"markus",
"smartassembly",
"win64",
"exif data",
"present dec",
"status",
"showing",
"show",
"icmp traffic",
"pdb path",
"crlf line",
"mutex",
"ms defender",
"mtb malware",
"hide samples",
"rootkit",
"apple webkit",
"macbook pro",
"apple ios"
],
"references": [
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"http://sissy.com/default - Adult Content",
"https://eliyporasa - Adult Content",
"64.38.232.180 - Adult Content IP",
"www.anyxxxtube.net - Adult Content",
"www.anyxxxtube.net - Adult Content IP",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"asp.bet",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Follow up need. This is a serious financial crime following the victims.",
"Victims have lost financial assets, jobs, vehicles",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win.Trojan.Ramnit-1847",
"display_name": "Win.Trojan.Ramnit-1847",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-14",
"display_name": "Win.Trojan.Fenomengame-14",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Adialer",
"display_name": "ALF:JASYP:Trojan:Win32/Adialer",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Financial",
"Government",
"Technology",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 363,
"FileHash-SHA1": 360,
"FileHash-SHA256": 3009,
"URL": 3504,
"domain": 879,
"email": 15,
"hostname": 1487,
"SSLCertFingerprint": 3
},
"indicator_count": 9620,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "84 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6905d40f781d7d58d4021a20",
"name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.",
"description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.",
"modified": "2025-12-20T06:00:23.758000",
"created": "2025-11-01T09:34:07.323000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8332,
"domain": 4819,
"hostname": 2165,
"FileHash-SHA256": 7369,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 23637,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "120 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690b39b3cf3cb86d14ccd811",
"name": "VirusTotal Graph - 11.05.25 - UAlberta Insiders",
"description": "I was just looking for a Dark Gate and came across this...hmmmm....\nI enriched on import, vet out and refer to virustotal graph referenced.\nRefer to References below - am unable to get them in. Profiled student group (OSINT) - unclear if potential allies or not.",
"modified": "2025-12-05T11:00:41.797000",
"created": "2025-11-05T11:49:07.495000",
"tags": [
"chadsualberta"
],
"references": [
"https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark",
"https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc",
"ThreatZone - Malicious",
"https://tria.ge/251105-yvvzgssldn",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188",
"Email: chads@ualberta[.]ca"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 120,
"FileHash-SHA1": 120,
"FileHash-SHA256": 1809,
"URL": 603,
"domain": 396,
"hostname": 514
},
"indicator_count": 3562,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "135 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6906c12b1dd6a64ab1beaa55",
"name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "",
"modified": "2025-12-01T09:02:26.881000",
"created": "2025-11-02T02:25:47.431000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6905d40f781d7d58d4021a20",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7556,
"domain": 4779,
"hostname": 2053,
"FileHash-SHA256": 7233,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 22573,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69137ee5d76d486d65396af0",
"name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ",
"description": "",
"modified": "2025-12-01T09:02:26.881000",
"created": "2025-11-11T18:22:29.976000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6905d40f781d7d58d4021a20",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7556,
"domain": 4779,
"hostname": 2053,
"FileHash-SHA256": 7233,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 22573,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68be993e9615b0e3e813b707",
"name": "MalBeacon - Apple Tor Project | Hostile",
"description": "Google.com is the world's largest web server, with an address address of 2.5 million users.. and a domain of 1.6 million servers. \u00c2\u00a31.3bn",
"modified": "2025-10-08T08:03:50.685000",
"created": "2025-09-08T08:52:14.428000",
"tags": [
"present mar",
"present aug",
"present jun",
"france unknown",
"present jan",
"present dec",
"present may",
"present apr",
"passive dns",
"tor exit",
"ipv4",
"reverse dns",
"location france",
"france asn",
"as15557",
"courier",
"accept",
"genco labs",
"comments",
"authority",
"fileversion",
"g2 c",
"llc st",
"md5 add",
"lowfi",
"united",
"backdoor",
"win32",
"hacktool",
"trojan",
"present sep",
"aaaa",
"moved",
"ip address",
"apache",
"ipv4 add",
"america flag",
"gaithersburg",
"united states",
"yara detections",
"malware",
"port",
"destination",
"read c",
"msie",
"windows nt",
"wow64",
"hostile",
"write",
"markus",
"local",
"unknown",
"apple",
"urls",
"domain",
"x apple",
"unknown aaaa",
"hostname add",
"files",
"files ip",
"delete c",
"crlf line",
"cheat service",
"checkin",
"high",
"total",
"delete",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"command",
"found",
"defense evasion",
"t1480 execution",
"command decode",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"exit",
"node traffic",
"general",
"path",
"click",
"strings",
"meta",
"thus",
"contact",
"main",
"dynamicloader",
"medium",
"wine emulator",
"dynamic",
"reads",
"patchcache",
"pe section",
"code overlap",
"blackie virus",
"intel",
"ms windows",
"pe32",
"regsetvalueexa",
"regdword",
"pe32 executable",
"delphi",
"dock",
"execution",
"explorer",
"next",
"evasion att",
"file defense",
"dynamic api",
"discovery att",
"prefetch8",
"prefetch1",
"mitre att",
"ck matrix",
"localappdata",
"yara signature",
"process",
"a domains",
"malbeacon",
"about contact",
"portal open",
"menu close",
"menu home",
"content home",
"portal",
"beaconing",
"internet",
"dark",
"type indicator",
"added active",
"related pulses",
"url https",
"url http",
"china unknown",
"location china",
"china asn",
"as174 cogent",
"twitter",
"virgin islands",
"creation date",
"germany unknown",
"unknown ns",
"domain add",
"tulach type",
"response ip",
"address google",
"safe browsing",
"status",
"search",
"date",
"name servers",
"showing",
"record value",
"error",
"code",
"content type",
"access",
"length",
"title",
"mtb may",
"useragent",
"next associated",
"gmt cache",
"sameorigin",
"mozilla",
"trojandropper",
"monitored target",
"packed"
],
"references": [
"80.125.71.115",
"Yara Detections: Armadillov171",
"https://malbeacon.com/",
"prod-lt-playstoregatewayadapter-pa.googleapis.com \u2022 redirector.gvt1.com \u2022 torexit.net-137.ampr.org"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Shodi",
"display_name": "Win.Trojan.Shodi",
"target": null
},
{
"id": "HackTool:Win64/Patcher!MSR",
"display_name": "HackTool:Win64/Patcher!MSR",
"target": "/malware/HackTool:Win64/Patcher!MSR"
},
{
"id": "Win.Malware.Lazy",
"display_name": "Win.Malware.Lazy",
"target": null
},
{
"id": "VirTool:MSIL/CryptInject.YA!MTB",
"display_name": "VirTool:MSIL/CryptInject.YA!MTB",
"target": "/malware/VirTool:MSIL/CryptInject.YA!MTB"
},
{
"id": "Ransom:Win32/Gojdue",
"display_name": "Ransom:Win32/Gojdue",
"target": "/malware/Ransom:Win32/Gojdue"
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb",
"target": null
},
{
"id": "Meredrop",
"display_name": "Meredrop",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "AutoRun",
"display_name": "AutoRun",
"target": null
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1067",
"name": "Bootkit",
"display_name": "T1067 - Bootkit"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 852,
"FileHash-MD5": 508,
"FileHash-SHA1": 407,
"FileHash-SHA256": 4566,
"URL": 3778,
"domain": 789,
"email": 8,
"SSLCertFingerprint": 2
},
"indicator_count": 10910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "193 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68abf66e97031d0ff0c04fed",
"name": "Packed sentient.industries links to a targets business website",
"description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.",
"modified": "2025-09-24T04:04:05.604000",
"created": "2025-08-25T05:36:46.327000",
"tags": [
"moved",
"body",
"x cache",
"cloudfront x",
"cph50 c2",
"certificate",
"record value",
"title",
"h1 center",
"server",
"redacted for",
"servers",
"name redacted",
"for privacy",
"name servers",
"org data",
"privacy city",
"privacy country",
"ca creation",
"passive dns",
"urls",
"files",
"ip address",
"asn as57033",
"less whois",
"registrar",
"tucows domains",
"key identifier",
"data",
"v3 serial",
"number",
"cat ozerossl",
"cnzerossl ecc",
"domain secure",
"site ca",
"validity",
"subject public",
"extraction",
"data upload",
"extra data",
"include review",
"find",
"failed",
"typ no",
"ms windows",
"intel",
"pe32",
"united",
"search",
"as16509",
"from win32bios",
"show",
"high",
"medium",
"delphi",
"copy",
"write",
"launcher",
"next",
"present aug",
"present jul",
"lowfi",
"win32",
"a div",
"div div",
"learn xml",
"babylon",
"win64",
"trojan",
"colors",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"et info",
"tls handshake",
"bad traffic",
"failure",
"date",
"august",
"hybrid",
"general",
"path",
"starfield",
"click",
"strings",
"se bethseda",
"n bethseda",
"n data",
"error",
"date checked",
"url hostname",
"server response",
"google safe",
"results aug",
"read c",
"tlsv1",
"port",
"destination",
"module load",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"cname",
"aaaa",
"creation date",
"showing",
"domain",
"dga domains",
"palantirfoundry",
"foundry",
"status",
"unknown ns",
"g2 tls",
"rsa sha256",
"italy unknown",
"mtb may",
"trojandropper",
"invalid url",
"next associated",
"ddos",
"body html",
"hacktool",
"ipv4",
"url analysis",
"ukraine",
"encrypt",
"rl add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present jun",
"entries",
"title error",
"all ipv4",
"reverse dns",
"yara detections",
"top source",
"top destination",
"source source",
"sha256 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"canada unknown",
"content type",
"javascript src",
"script script",
"x powered",
"ipv4 add",
"pulse submit",
"submit url",
"analysis",
"url add",
"related nids",
"files location",
"canada flag",
"canada hostname",
"unknown aaaa",
"ascii text",
"user agent",
"powershell",
"agent",
"czechia unknown",
"domain add",
"dynamicloader",
"hostname add",
"pentagon",
"defense"
],
"references": [
"sentient.industries affects independent artists. Affects several others.",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"(Can't access file- Malware infection files)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"Remotewd.com devices",
"If you find anything interesting please research it."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "nUFS_inno",
"display_name": "nUFS_inno",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious",
"display_name": "#Lowfi:HSTR:MSIL/Malicious",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/Bibado",
"display_name": "ALF:JASYP:PUA:Win32/Bibado",
"target": null
},
{
"id": "Trojan:Win32/Toga",
"display_name": "Trojan:Win32/Toga",
"target": "/malware/Trojan:Win32/Toga"
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Win.Trojan.Jorik-149",
"display_name": "Win.Trojan.Jorik-149",
"target": null
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.Jorik-130",
"display_name": "Win.Trojan.Jorik-130",
"target": null
},
{
"id": "Win.Trojan.Fakecodecs-119",
"display_name": "Win.Trojan.Fakecodecs-119",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Bulz-9860169-0",
"display_name": "Win.Trojan.Bulz-9860169-0",
"target": null
},
{
"id": "Win.Malware.Midie-6847892-0",
"display_name": "Win.Malware.Midie-6847892-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win.Packed.Razy-9785185-0",
"display_name": "Win.Packed.Razy-9785185-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "PWS",
"display_name": "PWS",
"target": null
},
{
"id": "DDOS:Win32/Stormser.A",
"display_name": "DDOS:Win32/Stormser.A",
"target": "/malware/DDOS:Win32/Stormser.A"
},
{
"id": "ALF:HSTR:DotNET",
"display_name": "ALF:HSTR:DotNET",
"target": null
},
{
"id": "DotNET",
"display_name": "DotNET",
"target": null
},
{
"id": "Script Exploit",
"display_name": "Script Exploit",
"target": null
},
{
"id": "HackTool:Win32/AutoKMS",
"display_name": "HackTool:Win32/AutoKMS",
"target": "/malware/HackTool:Win32/AutoKMS"
},
{
"id": "Xanfpezes.A",
"display_name": "Xanfpezes.A",
"target": null
},
{
"id": "Trojan:Win32/Gandcrab",
"display_name": "Trojan:Win32/Gandcrab",
"target": "/malware/Trojan:Win32/Gandcrab"
},
{
"id": "Win.Trojan.Generic-9862772-0",
"display_name": "Win.Trojan.Generic-9862772-0",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBL!MTB",
"display_name": "Trojan:Win32/Zbot.SIBL!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBL!MTB"
},
{
"id": "Win32/Nemucod",
"display_name": "Win32/Nemucod",
"target": null
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"target": null
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Win.Malware.Kolab-9885903-0",
"display_name": "Win.Malware.Kolab-9885903-0",
"target": null
},
{
"id": "Win.Malware (30)",
"display_name": "Win.Malware (30)",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"target": null
},
{
"id": "E5",
"display_name": "E5",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 6232,
"URL": 24908,
"hostname": 7993,
"FileHash-SHA256": 11128,
"email": 6,
"FileHash-MD5": 1054,
"FileHash-SHA1": 932,
"SSLCertFingerprint": 14,
"CIDR": 3,
"CVE": 3
},
"indicator_count": 52273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "207 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68596260a9ca6c4cc92ca068",
"name": "Delete service | Affects Threat Research Platforms",
"description": "Delete service attacking threat researchers platforms. Deletes , blocks, scrambles , attaches to accounts like an overlord monitoring and deletion of Io\u2019s across various platforms. \n\nIDS Rules: PROTOCOL-ICMP PATH MTU denial of service attempt\n\u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\u2022 Matches rule PROTOCOL-ICMP Echo Reply\nInteresting: TLS: SNI: slscr.update.microsoft.com\nSNI: nexusrules.officeapps.live.com\nSNI: login.live.com\nSNI: client.wns.windows.com",
"modified": "2025-08-20T04:13:22.641000",
"created": "2025-06-23T14:19:12.328000",
"tags": [
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"oc0006",
"get http",
"resolved ips",
"dns resolutions",
"request",
"response",
"windows nt",
"win64",
"khtml",
"gecko",
"ip address",
"country name",
"cname",
"port",
"accept",
"gmt ifnonematch",
"url data",
"icmp",
"mutexes nothing",
"data",
"datacrashpad",
"edge",
"created",
"nothing",
"html internet",
"html document",
"ascii text",
"gtmkvjvztk dl"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2401,
"URL": 5856,
"FileHash-SHA256": 3473,
"domain": 2188,
"FileHash-MD5": 123,
"FileHash-SHA1": 120,
"CVE": 2
},
"indicator_count": 14163,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "242 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6875e98438889e51b3fdd18f",
"name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch",
"description": "",
"modified": "2025-08-14T05:04:16.839000",
"created": "2025-07-15T05:39:16.652000",
"tags": [
"win32 exe",
"country",
"include review",
"exclude",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"impact ob0008",
"file system",
"system oc0008",
"match unknown",
"adversaries",
"match info",
"info",
"execution flow",
"t1574 dll",
"tries",
"registry",
"modify system",
"process t1543",
"unknown",
"window",
"ob0009 install",
"ob0012 install",
"insecure",
"b0047 modify",
"registry e1112",
"hidden files",
"registry run",
"keys",
"startup folder",
"f0012 file",
"critical",
"united",
"as15169",
"delete c",
"as16509",
"show",
"search",
"intel",
"ms windows",
"entries",
"medium",
"worm",
"copy",
"write",
"explorer",
"malware",
"next",
"present jul",
"status",
"date",
"ip address",
"domain",
"servers",
"showing",
"unknown ns",
"related pulses",
"pulses",
"tags",
"related tags",
"more file",
"type",
"date april",
"am size",
"sha1 sha256",
"as14618",
"united kingdom",
"as54113",
"as15133 verizon",
"top source",
"top destination",
"status domain",
"ip whitelisted",
"whitelisted",
"tcp include",
"source source",
"oamazon",
"cnamazon rsa",
"odigicert inc",
"sweden as20940",
"as20940",
"entries tls",
"ip destination",
"encrypt",
"aaaa",
"found",
"certificate",
"next associated",
"urls show",
"date checked",
"error",
"windows",
"high",
"yara detections",
"installs",
"checks",
"filehash",
"sha256 add",
"themida",
"data upload",
"extraction",
"md5 add",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"win32",
"ddos",
"passive dns",
"activity",
"checkin",
"win64",
"mtb jan",
"lowfi",
"trojan",
"ransom",
"trojandropper",
"yara",
"nsis",
"nss bv",
"su data",
"windo alerts",
"andariel",
"malware traffic",
"nids",
"icmp traffic",
"dns query",
"id deadhost",
"connects",
"andariel high",
"richhash",
"external",
"virustotal api",
"screenshots",
"failed",
"auurtonany data",
"themida andarie",
"present may",
"japan unknown",
"unknown cname",
"domain add",
"urls",
"files",
"http headers",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"externalport",
"internalport",
"wget command",
"devices home",
"execution",
"foundry",
"home networks",
"mirai",
"x.com",
"porn",
"monitored target",
"d link",
"targets"
],
"references": [
"TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}",
"Crowdsourced Signa: Schedule system process by Joe Security",
"Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel",
"Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Yara \u2022 NSIS from ruleset NSIS by kevoreilly",
"Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security",
"Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command",
"IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI",
"Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0",
"*Themida_2xx. Oreans,Technologies",
"*Andariel Backdoor Activity (Checkin)",
"Alert: dead_host nids_malware_alert network_icmp nolookup_communication",
"IDS: WGET Command Specifying Output in HTTP Headers",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl",
"https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com",
"http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios",
"Devices remotely connected, tracked , monitored"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Win.Malware.Ursu-9856871-0",
"display_name": "Win.Malware.Ursu-9856871-0",
"target": null
},
{
"id": "ELF:DDoS-Y\\ [Trj]",
"display_name": "ELF:DDoS-Y\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Healthcare",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 448,
"FileHash-SHA1": 435,
"FileHash-SHA256": 5851,
"hostname": 2580,
"domain": 1176,
"URL": 7133,
"SSLCertFingerprint": 30,
"email": 3,
"CVE": 3
},
"indicator_count": 17659,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "248 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709bc4438a1753418f260b",
"name": "hy shit f\u00a5k - v2 shit tons - dns64.dns.google from https://dns.google/static/b8536c37/shared.css",
"description": "",
"modified": "2023-12-06T16:05:24.205000",
"created": "2023-12-06T16:05:24.205000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 1755,
"domain": 278,
"hostname": 526,
"URL": 1421,
"FileHash-MD5": 132,
"FileHash-SHA1": 120
},
"indicator_count": 4234,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709bbea0b2ddff21923db6",
"name": "hy shit f\u00a5k - v2 shit tons - dns64.dns.google from https://dns.google/static/b8536c37/shared.css",
"description": "",
"modified": "2023-12-06T16:05:18.721000",
"created": "2023-12-06T16:05:18.721000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 1755,
"domain": 278,
"hostname": 524,
"URL": 1421,
"FileHash-MD5": 132,
"FileHash-SHA1": 120
},
"indicator_count": 4232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6472cc115ebe9600642978a9",
"name": "hy shit f\u00a5k - v2 shit tons - dns64.dns.google from https://dns.google/static/b8536c37/shared.css",
"description": "",
"modified": "2023-06-27T00:02:03.848000",
"created": "2023-05-28T03:35:45.318000",
"tags": [
"https://dns.google/static/b8536c37/shared.css"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1421,
"hostname": 524,
"FileHash-SHA256": 1755,
"CVE": 2,
"domain": 278,
"FileHash-MD5": 132,
"FileHash-SHA1": 120
},
"indicator_count": 4232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "1027 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6472cc14f04d35ad75c4dcb6",
"name": "hy shit f\u00a5k - v2 shit tons - dns64.dns.google from https://dns.google/static/b8536c37/shared.css",
"description": "",
"modified": "2023-06-27T00:02:03.848000",
"created": "2023-05-28T03:35:48.298000",
"tags": [
"https://dns.google/static/b8536c37/shared.css"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1421,
"hostname": 526,
"FileHash-SHA256": 1755,
"CVE": 2,
"domain": 278,
"FileHash-MD5": 132,
"FileHash-SHA1": 120
},
"indicator_count": 4234,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "1027 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"com.iobit.MacBooster-3",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI",
"asp.bet",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"64.38.232.180 - Adult Content IP",
"About pulse, found in peripheral.",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"(Can't access file- Malware infection files)",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://malbeacon.com/",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc",
"Information gathered equals 2 pulses. Pulse (1) included",
"An earlier version contacted entities affected or affecting targets.",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"I did not clone my pulse to read Bit.io",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"Victims have lost financial assets, jobs, vehicles",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"Doing any evil thing for mone does not compute for me.",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Yara Detections: Armadillov171",
"sentient.industries affects independent artists. Affects several others.",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"http://sissy.com/default - Adult Content",
"https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"ThreatZone - Malicious",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Remotewd.com devices",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"prod-lt-playstoregatewayadapter-pa.googleapis.com \u2022 redirector.gvt1.com \u2022 torexit.net-137.ampr.org",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"www.anyxxxtube.net - Adult Content IP",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alert: dead_host nids_malware_alert network_icmp nolookup_communication",
"Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"If you find anything interesting please research it.",
"x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"https://tria.ge/251105-yvvzgssldn",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"This would be sent in an email but \u2026.",
"Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}",
"80.125.71.115",
"*Themida_2xx. Oreans,Technologies",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"Yara \u2022 NSIS from ruleset NSIS by kevoreilly",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"IDS: WGET Command Specifying Output in HTTP Headers",
"Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"Devices remotely connected, tracked , monitored",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"*Andariel Backdoor Activity (Checkin)",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"Issue! Multiple IoC\u2019s missing.",
"Alerts: checks_debugger has_pdb raises_exception",
"Follow up need. This is a serious financial crime following the victims.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"Researching using an easy powerful tool like this has led to confrontations.",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"https://eliyporasa - Adult Content",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"Traceback- Man with signal jammer/ deauther working around her today.",
"www.anyxxxtube.net - Adult Content",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"When your pulse says contacted, who is contacted besides OTX?",
"Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"Crowdsourced Signa: Schedule system process by Joe Security",
"Email: chads@ualberta[.]ca",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Xanfpezes.a",
"Cve-2023-22518",
"Meredrop",
"Dotnet",
"#lowfidetectsvmware",
"Win.trojan.bulz-9860169-0",
"Win.malware.unsafe",
"Trojan:win32/toga",
"Autorun",
"Win.trojan.fakecodecs-119",
"#lowfienabledtcontinueafterunpacking",
"Win.malware.lazy",
"Win.trojan.fenomengame-8",
"Trojan:win32/zombie.a",
"Script exploit",
"Tulach",
"Pws",
"Unix.trojan.gafgyt-6981154-0",
"Exploit:win32/cve-2017-0147",
"Custom malware",
"Alf:jasyp:trojan:win32/adialer",
"Trojan:win32/generic",
"Win32/nemucod",
"Expiro",
"Ransom:win32/cve-2017-0147",
"Trojan:win32/glupteba.mt!mtb",
"Alf:heraklezeval:trojandownloader:html/adodb!rfn",
"#lowfi:hstr:msil/malicious.decryption",
"E5",
"Win.malware.kolab-9885903-0",
"Mydoom",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Juko",
"Win.trojan.jorik-130",
"Pandex!gen1",
"Trojandropper:win32/muldrop",
"Trojan:win32/zbot.sibl!mtb",
"Win32:downloader-gjk\\ [trj]",
"Win.packed.razy-9785185-0",
"Win.malware.msilperseus-6989564-0",
"Pathwiper",
"Lumen ip",
"Mirai",
"Win.malware (30)",
"Elf:ddos-s\\ [trj]",
"Elf:ddos-y\\ [trj]",
"Trojan:win32/qshell",
"Alf:jasyp:pua:win32/bibado",
"Alf:hstr:dotnet",
"Nufs_inno",
"Win.downloader.109205-1",
"Hacktool:win32/autokms",
"Appleservice",
"Win.trojan.generic-9862772-0",
"Unknown malware \u2018can't access file\u2019",
"Win.malware.midie-6847892-0",
"Ransom:win32/gojdue",
"Trojan:win32/blihan.a",
"Worm:win32/autorun!atmn",
"Win.trojan.fenomengame-14",
"Trojandropper:win32/muldrop.v!mtb",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"Win.malware.qshell-9875653-0",
"Virtool:msil/cryptinject.ya!mtb",
"Ddos:win32/stormser.a",
"Trojan:win32/gandcrab",
"Mirai sim swap",
"Win.trojan.shodi",
"Win.malware.ursu-9856871-0",
"Worm:win32/mofksys.rnd!mtb",
"Win.trojan.jorik-149",
"#lowfi:hstr:msil/malicious",
"Ransom",
"Virus:win32/floxif.h",
"Other",
"Hacktool:win64/patcher!msr",
"Et",
"Alf:heraklezeval:trojandownloader:html/adodb",
"Unix.trojan.mirai-6981169-0",
"Win.trojan.ramnit-1847"
],
"industries": [
"Telecommunications",
"Technology",
"Irs",
"Government",
"Financial",
"Legal",
"Education",
"Healthcare"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 15,
"pulses": [
{
"id": "69d747314a8fc4fa30250fe9",
"name": "VirusTotal report\n for program.exe",
"description": " Report date relevance: May 18 2025.",
"modified": "2026-04-09T07:29:31.205000",
"created": "2026-04-09T06:29:05.116000",
"tags": [
"explorer",
"maxime thiebaut",
"files",
"imageendswith",
"windows sccm",
"pe file",
"drops pe",
"sample",
"drops",
"pe32",
"intel",
"ms windows",
"infects",
"found",
"mitre attack",
"persistence",
"info",
"next",
"windows sandbox",
"calls clear",
"users",
"nothing",
"registry keys",
"change",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"bit locker hijacked",
"illegal one drive cross tenant",
"Esign violation",
"non secure workflow",
"wiper",
"MDMenrollment misuse",
"broken seal",
"pdfkit.net DMV",
"vzwbiz",
"modified after creation non secure workflow",
"Docusign exploited by non secure workflow",
"Human Error/Spyware/Risk+",
"Abobe Exploited by non secure process",
"CaRoot Cert Abuse",
"cryptography unsound"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "PathWiper",
"display_name": "PathWiper",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [
"Government",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 81,
"URL": 421,
"hostname": 491,
"FileHash-MD5": 477,
"FileHash-SHA1": 298,
"FileHash-SHA256": 719,
"IPv4": 177,
"CVE": 5,
"email": 12,
"CIDR": 2
},
"indicator_count": 2683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "694dc80ac6e7fd5474b316a1",
"name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal",
"description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |",
"modified": "2026-01-24T22:05:13.068000",
"created": "2025-12-25T23:26:02.712000",
"tags": [
"hash avast",
"avg clamav",
"msdefender feb",
"url http",
"url https",
"zipcode",
"active related",
"cage01195 dec",
"passports",
"ipv4",
"active",
"irs",
"apple",
"role title",
"indicator role",
"malware attacks",
"find encrypted",
"lumen",
"fastly",
"create c",
"read c",
"delete",
"write",
"default",
"medium",
"rgba",
"dock",
"execution",
"xport",
"united",
"passive dns",
"urls",
"expiration date",
"unknown ns",
"unknown aaaa",
"pulse pulses",
"merit",
"dod network",
"type indicator",
"related pulses",
"name",
"name servers",
"ffffff",
"ip address",
"emails",
"object",
"clsid6bf52a52",
"cookie",
"meta",
"united kingdom",
"germany",
"russia",
"search",
"added active",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"href",
"pattern match",
"ascii text",
"ck id",
"mitre att",
"ck matrix",
"t1071",
"general",
"local",
"path",
"iframe",
"click",
"beginstring",
"segoe ui",
"null",
"refresh",
"span",
"hybrid",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"data upload",
"extraction",
"failed",
"include data",
"entries",
"unicode",
"high",
"memcommit",
"next",
"flag",
"process details",
"path expiresthu",
"moved",
"gmt set",
"domain",
"httponly path",
"encrypt",
"leaseweb",
"iowa",
"title added",
"bad traffic",
"et info",
"tls handshake",
"failure",
"command decode",
"suricata stream",
"circle",
"f5f8fa",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"suricata http",
"windows nt",
"date",
"ips initial",
"prefetch8",
"localappdata",
"prefetch1",
"programfiles",
"edge",
"access att",
"t1566 phishing",
"initial access",
"show process",
"show technique",
"process",
"t1057",
"contacted",
"ck techniques",
"evasion att",
"body",
"report spam",
"apple",
"ddos",
"irs created",
"hours ago",
"white",
"apple user",
"industries",
"government",
"finance",
"trojandropper",
"appleservice",
"mirai",
"trojan",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"alerts",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"file score",
"medium risk",
"copy",
"richhash",
"finding notes",
"clamav malware",
"files matching",
"number",
"sample analysis",
"samples show",
"date hash",
"yara rule",
"msie",
"t1063",
"windows",
"malware",
"detected",
"https domain",
"tls sni",
"markus",
"smartassembly",
"win64",
"exif data",
"present dec",
"status",
"showing",
"show",
"icmp traffic",
"pdb path",
"crlf line",
"mutex",
"ms defender",
"mtb malware",
"hide samples",
"rootkit",
"apple webkit",
"macbook pro",
"apple ios"
],
"references": [
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"http://sissy.com/default - Adult Content",
"https://eliyporasa - Adult Content",
"64.38.232.180 - Adult Content IP",
"www.anyxxxtube.net - Adult Content",
"www.anyxxxtube.net - Adult Content IP",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"asp.bet",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Follow up need. This is a serious financial crime following the victims.",
"Victims have lost financial assets, jobs, vehicles",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win.Trojan.Ramnit-1847",
"display_name": "Win.Trojan.Ramnit-1847",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-14",
"display_name": "Win.Trojan.Fenomengame-14",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Adialer",
"display_name": "ALF:JASYP:Trojan:Win32/Adialer",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Financial",
"Government",
"Technology",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 363,
"FileHash-SHA1": 360,
"FileHash-SHA256": 3009,
"URL": 3504,
"domain": 879,
"email": 15,
"hostname": 1487,
"SSLCertFingerprint": 3
},
"indicator_count": 9620,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "84 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6905d40f781d7d58d4021a20",
"name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.",
"description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.",
"modified": "2025-12-20T06:00:23.758000",
"created": "2025-11-01T09:34:07.323000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8332,
"domain": 4819,
"hostname": 2165,
"FileHash-SHA256": 7369,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 23637,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "120 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690b39b3cf3cb86d14ccd811",
"name": "VirusTotal Graph - 11.05.25 - UAlberta Insiders",
"description": "I was just looking for a Dark Gate and came across this...hmmmm....\nI enriched on import, vet out and refer to virustotal graph referenced.\nRefer to References below - am unable to get them in. Profiled student group (OSINT) - unclear if potential allies or not.",
"modified": "2025-12-05T11:00:41.797000",
"created": "2025-11-05T11:49:07.495000",
"tags": [
"chadsualberta"
],
"references": [
"https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark",
"https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc",
"ThreatZone - Malicious",
"https://tria.ge/251105-yvvzgssldn",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188",
"Email: chads@ualberta[.]ca"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 120,
"FileHash-SHA1": 120,
"FileHash-SHA256": 1809,
"URL": 603,
"domain": 396,
"hostname": 514
},
"indicator_count": 3562,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "135 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6906c12b1dd6a64ab1beaa55",
"name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "",
"modified": "2025-12-01T09:02:26.881000",
"created": "2025-11-02T02:25:47.431000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6905d40f781d7d58d4021a20",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7556,
"domain": 4779,
"hostname": 2053,
"FileHash-SHA256": 7233,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 22573,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69137ee5d76d486d65396af0",
"name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ",
"description": "",
"modified": "2025-12-01T09:02:26.881000",
"created": "2025-11-11T18:22:29.976000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6905d40f781d7d58d4021a20",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7556,
"domain": 4779,
"hostname": 2053,
"FileHash-SHA256": 7233,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 22573,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68be993e9615b0e3e813b707",
"name": "MalBeacon - Apple Tor Project | Hostile",
"description": "Google.com is the world's largest web server, with an address address of 2.5 million users.. and a domain of 1.6 million servers. \u00c2\u00a31.3bn",
"modified": "2025-10-08T08:03:50.685000",
"created": "2025-09-08T08:52:14.428000",
"tags": [
"present mar",
"present aug",
"present jun",
"france unknown",
"present jan",
"present dec",
"present may",
"present apr",
"passive dns",
"tor exit",
"ipv4",
"reverse dns",
"location france",
"france asn",
"as15557",
"courier",
"accept",
"genco labs",
"comments",
"authority",
"fileversion",
"g2 c",
"llc st",
"md5 add",
"lowfi",
"united",
"backdoor",
"win32",
"hacktool",
"trojan",
"present sep",
"aaaa",
"moved",
"ip address",
"apache",
"ipv4 add",
"america flag",
"gaithersburg",
"united states",
"yara detections",
"malware",
"port",
"destination",
"read c",
"msie",
"windows nt",
"wow64",
"hostile",
"write",
"markus",
"local",
"unknown",
"apple",
"urls",
"domain",
"x apple",
"unknown aaaa",
"hostname add",
"files",
"files ip",
"delete c",
"crlf line",
"cheat service",
"checkin",
"high",
"total",
"delete",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"command",
"found",
"defense evasion",
"t1480 execution",
"command decode",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"exit",
"node traffic",
"general",
"path",
"click",
"strings",
"meta",
"thus",
"contact",
"main",
"dynamicloader",
"medium",
"wine emulator",
"dynamic",
"reads",
"patchcache",
"pe section",
"code overlap",
"blackie virus",
"intel",
"ms windows",
"pe32",
"regsetvalueexa",
"regdword",
"pe32 executable",
"delphi",
"dock",
"execution",
"explorer",
"next",
"evasion att",
"file defense",
"dynamic api",
"discovery att",
"prefetch8",
"prefetch1",
"mitre att",
"ck matrix",
"localappdata",
"yara signature",
"process",
"a domains",
"malbeacon",
"about contact",
"portal open",
"menu close",
"menu home",
"content home",
"portal",
"beaconing",
"internet",
"dark",
"type indicator",
"added active",
"related pulses",
"url https",
"url http",
"china unknown",
"location china",
"china asn",
"as174 cogent",
"twitter",
"virgin islands",
"creation date",
"germany unknown",
"unknown ns",
"domain add",
"tulach type",
"response ip",
"address google",
"safe browsing",
"status",
"search",
"date",
"name servers",
"showing",
"record value",
"error",
"code",
"content type",
"access",
"length",
"title",
"mtb may",
"useragent",
"next associated",
"gmt cache",
"sameorigin",
"mozilla",
"trojandropper",
"monitored target",
"packed"
],
"references": [
"80.125.71.115",
"Yara Detections: Armadillov171",
"https://malbeacon.com/",
"prod-lt-playstoregatewayadapter-pa.googleapis.com \u2022 redirector.gvt1.com \u2022 torexit.net-137.ampr.org"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Shodi",
"display_name": "Win.Trojan.Shodi",
"target": null
},
{
"id": "HackTool:Win64/Patcher!MSR",
"display_name": "HackTool:Win64/Patcher!MSR",
"target": "/malware/HackTool:Win64/Patcher!MSR"
},
{
"id": "Win.Malware.Lazy",
"display_name": "Win.Malware.Lazy",
"target": null
},
{
"id": "VirTool:MSIL/CryptInject.YA!MTB",
"display_name": "VirTool:MSIL/CryptInject.YA!MTB",
"target": "/malware/VirTool:MSIL/CryptInject.YA!MTB"
},
{
"id": "Ransom:Win32/Gojdue",
"display_name": "Ransom:Win32/Gojdue",
"target": "/malware/Ransom:Win32/Gojdue"
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb",
"target": null
},
{
"id": "Meredrop",
"display_name": "Meredrop",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "AutoRun",
"display_name": "AutoRun",
"target": null
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1067",
"name": "Bootkit",
"display_name": "T1067 - Bootkit"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 852,
"FileHash-MD5": 508,
"FileHash-SHA1": 407,
"FileHash-SHA256": 4566,
"URL": 3778,
"domain": 789,
"email": 8,
"SSLCertFingerprint": 2
},
"indicator_count": 10910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "193 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68abf66e97031d0ff0c04fed",
"name": "Packed sentient.industries links to a targets business website",
"description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.",
"modified": "2025-09-24T04:04:05.604000",
"created": "2025-08-25T05:36:46.327000",
"tags": [
"moved",
"body",
"x cache",
"cloudfront x",
"cph50 c2",
"certificate",
"record value",
"title",
"h1 center",
"server",
"redacted for",
"servers",
"name redacted",
"for privacy",
"name servers",
"org data",
"privacy city",
"privacy country",
"ca creation",
"passive dns",
"urls",
"files",
"ip address",
"asn as57033",
"less whois",
"registrar",
"tucows domains",
"key identifier",
"data",
"v3 serial",
"number",
"cat ozerossl",
"cnzerossl ecc",
"domain secure",
"site ca",
"validity",
"subject public",
"extraction",
"data upload",
"extra data",
"include review",
"find",
"failed",
"typ no",
"ms windows",
"intel",
"pe32",
"united",
"search",
"as16509",
"from win32bios",
"show",
"high",
"medium",
"delphi",
"copy",
"write",
"launcher",
"next",
"present aug",
"present jul",
"lowfi",
"win32",
"a div",
"div div",
"learn xml",
"babylon",
"win64",
"trojan",
"colors",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"et info",
"tls handshake",
"bad traffic",
"failure",
"date",
"august",
"hybrid",
"general",
"path",
"starfield",
"click",
"strings",
"se bethseda",
"n bethseda",
"n data",
"error",
"date checked",
"url hostname",
"server response",
"google safe",
"results aug",
"read c",
"tlsv1",
"port",
"destination",
"module load",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"cname",
"aaaa",
"creation date",
"showing",
"domain",
"dga domains",
"palantirfoundry",
"foundry",
"status",
"unknown ns",
"g2 tls",
"rsa sha256",
"italy unknown",
"mtb may",
"trojandropper",
"invalid url",
"next associated",
"ddos",
"body html",
"hacktool",
"ipv4",
"url analysis",
"ukraine",
"encrypt",
"rl add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present jun",
"entries",
"title error",
"all ipv4",
"reverse dns",
"yara detections",
"top source",
"top destination",
"source source",
"sha256 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"canada unknown",
"content type",
"javascript src",
"script script",
"x powered",
"ipv4 add",
"pulse submit",
"submit url",
"analysis",
"url add",
"related nids",
"files location",
"canada flag",
"canada hostname",
"unknown aaaa",
"ascii text",
"user agent",
"powershell",
"agent",
"czechia unknown",
"domain add",
"dynamicloader",
"hostname add",
"pentagon",
"defense"
],
"references": [
"sentient.industries affects independent artists. Affects several others.",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"(Can't access file- Malware infection files)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"Remotewd.com devices",
"If you find anything interesting please research it."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "nUFS_inno",
"display_name": "nUFS_inno",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious",
"display_name": "#Lowfi:HSTR:MSIL/Malicious",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/Bibado",
"display_name": "ALF:JASYP:PUA:Win32/Bibado",
"target": null
},
{
"id": "Trojan:Win32/Toga",
"display_name": "Trojan:Win32/Toga",
"target": "/malware/Trojan:Win32/Toga"
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Win.Trojan.Jorik-149",
"display_name": "Win.Trojan.Jorik-149",
"target": null
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.Jorik-130",
"display_name": "Win.Trojan.Jorik-130",
"target": null
},
{
"id": "Win.Trojan.Fakecodecs-119",
"display_name": "Win.Trojan.Fakecodecs-119",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Bulz-9860169-0",
"display_name": "Win.Trojan.Bulz-9860169-0",
"target": null
},
{
"id": "Win.Malware.Midie-6847892-0",
"display_name": "Win.Malware.Midie-6847892-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win.Packed.Razy-9785185-0",
"display_name": "Win.Packed.Razy-9785185-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "PWS",
"display_name": "PWS",
"target": null
},
{
"id": "DDOS:Win32/Stormser.A",
"display_name": "DDOS:Win32/Stormser.A",
"target": "/malware/DDOS:Win32/Stormser.A"
},
{
"id": "ALF:HSTR:DotNET",
"display_name": "ALF:HSTR:DotNET",
"target": null
},
{
"id": "DotNET",
"display_name": "DotNET",
"target": null
},
{
"id": "Script Exploit",
"display_name": "Script Exploit",
"target": null
},
{
"id": "HackTool:Win32/AutoKMS",
"display_name": "HackTool:Win32/AutoKMS",
"target": "/malware/HackTool:Win32/AutoKMS"
},
{
"id": "Xanfpezes.A",
"display_name": "Xanfpezes.A",
"target": null
},
{
"id": "Trojan:Win32/Gandcrab",
"display_name": "Trojan:Win32/Gandcrab",
"target": "/malware/Trojan:Win32/Gandcrab"
},
{
"id": "Win.Trojan.Generic-9862772-0",
"display_name": "Win.Trojan.Generic-9862772-0",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBL!MTB",
"display_name": "Trojan:Win32/Zbot.SIBL!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBL!MTB"
},
{
"id": "Win32/Nemucod",
"display_name": "Win32/Nemucod",
"target": null
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"target": null
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Win.Malware.Kolab-9885903-0",
"display_name": "Win.Malware.Kolab-9885903-0",
"target": null
},
{
"id": "Win.Malware (30)",
"display_name": "Win.Malware (30)",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"target": null
},
{
"id": "E5",
"display_name": "E5",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 6232,
"URL": 24908,
"hostname": 7993,
"FileHash-SHA256": 11128,
"email": 6,
"FileHash-MD5": 1054,
"FileHash-SHA1": 932,
"SSLCertFingerprint": 14,
"CIDR": 3,
"CVE": 3
},
"indicator_count": 52273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "207 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68596260a9ca6c4cc92ca068",
"name": "Delete service | Affects Threat Research Platforms",
"description": "Delete service attacking threat researchers platforms. Deletes , blocks, scrambles , attaches to accounts like an overlord monitoring and deletion of Io\u2019s across various platforms. \n\nIDS Rules: PROTOCOL-ICMP PATH MTU denial of service attempt\n\u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\u2022 Matches rule PROTOCOL-ICMP Echo Reply\nInteresting: TLS: SNI: slscr.update.microsoft.com\nSNI: nexusrules.officeapps.live.com\nSNI: login.live.com\nSNI: client.wns.windows.com",
"modified": "2025-08-20T04:13:22.641000",
"created": "2025-06-23T14:19:12.328000",
"tags": [
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"oc0006",
"get http",
"resolved ips",
"dns resolutions",
"request",
"response",
"windows nt",
"win64",
"khtml",
"gecko",
"ip address",
"country name",
"cname",
"port",
"accept",
"gmt ifnonematch",
"url data",
"icmp",
"mutexes nothing",
"data",
"datacrashpad",
"edge",
"created",
"nothing",
"html internet",
"html document",
"ascii text",
"gtmkvjvztk dl"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2401,
"URL": 5856,
"FileHash-SHA256": 3473,
"domain": 2188,
"FileHash-MD5": 123,
"FileHash-SHA1": 120,
"CVE": 2
},
"indicator_count": 14163,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "242 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "letras.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "letras.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776611690.7084444
}