{ "type": "Domain", "indicator": "reactbanner.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/reactbanner.com", "alexa": "http://www.alexa.com/siteinfo/reactbanner.com", "indicator": "reactbanner.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3758610451, "indicator": "reactbanner.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69b49ad5dd40a24d83cd6a72", "name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-03-13T23:16:37.716000", "created": "2026-03-13T23:16:37.716000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69631fbd16e306ee2b76c4da", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b496396ca4987e95ad37d1", "name": "Chris Buzz by QVashni (wow)", "description": "", "modified": "2026-03-13T22:56:57.314000", "created": "2026-03-13T22:56:57.314000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69482caa00d327da8f0a87bc", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b49587dd104e342dda1628", "name": "C Ahman Attorney Clone by Top Tier, Q.Vashti", "description": "", "modified": "2026-03-13T22:53:59.112000", "created": "2026-03-13T22:53:59.112000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69631fbd16e306ee2b76c4da", "name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2026-01-11T03:57:49.242000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "695557ee134b978b00883c29", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695557ee134b978b00883c29", "name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-31T17:05:50.134000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69482caa00d327da8f0a87bc", "name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-21T17:21:46.434000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691f4d4ef0a2a570b8b21cd2", "name": "Chris P. Ahmann Colorado State Criminal Defense Attorney", "description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.", "modified": "2026-01-20T17:02:02.650000", "created": "2025-11-20T17:18:06.929000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ec0870475174302c733fa2", "name": "Cyber Crime - Emotet | Tofsee CnC | Targeting \u2022 Streaming \u2022 Stealing", "description": "I\u2019ve heard of mortis.com from a target. It was heavily suggested on targets YouTube homepage. I hadn\u2019t had thought to research link until Friday.\n\n Doing my due diligence I\u2019ve been viewing potential issues targets family member/s may be and his having with technology.\n\nSmart TV is completely hacked. playlist tampering , heavy downloading daily when TV is on , off or unplugged. \n I watched this TV monitored data volume , noted continued suggestions for Mortis.com , \ntouted . Obviously, a threat. YouTuber warns not go in and no one can get in which is insanely stupid. OTX issues,. Several pulse attempts later , constant refreshing and deleting of IoC this is all what remains. Streaming services, webcams and multiple labeled rooms. I have no idea the point of death threats especially since God can mow anyone down. Who promised you another breath? Target seems to be the only person targeted. Multiple Foundry , PayPal Palantir\nLinks , Boeing, JetBlue Twitter , Apple loading issues.", "modified": "2025-11-11T04:02:27.091000", "created": "2025-10-12T19:58:40.472000", "tags": [ "url https", "indicator role", "active related", "united", "ip address", "unknown ns", "x82xd4", "x86xd3", "xa1xf1", "xe8xc2x14", "win32tofsee", "trojan", "win32tofsee att", "ck ids", "t1096", "ntfs file", "service", "united kingdom", "germany", "netherlands", "mortis.com", "dead", "death", "foundry", "paypal", "home visitor", "psalms 37", "trojan", "emotet", "boeing", "apple", "streaming", "kryptik", "myundeadneighbor", "windstream communications llc", "command", "tofsee", "kx81xdbx0f", "wx99xcdx11", "stream", "write", "malware", "tsara brashears", "regsetvalueexa", "malware", "win32", "persistence", "execution", "push", "shellexecuteexw", "windows", "botnet", "backdoor", "writeconsolew", "displayname", "sddl", "hash", "ip address", "ssl certificate", "spawns", "initial access", "adversaries", "name tactics", "t1031", "registry", "dock", "suspicious", "learn", "phishing att", "infection", "commandand_and_control", "informative", "jetblue", "porn", "keylogger", "remote keylogger", "parklogic", "parking crew", "park pages", "cyber crime", "data brokers", "info stealers", "password", "masquerading", "discord", "sophisticated", "dga domains", "pit", "rotor", "hello", "targeting", "games" ], "references": [ "mortis.com", "I unintentionally made the first pulse Public.", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "assassinationmarkets.com", "https://id.security.trackid", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/Emotet.KDS!MTB", "display_name": "Trojan:Win32/Emotet.KDS!MTB", "target": "/malware/Trojan:Win32/Emotet.KDS!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Tofsee-6880878-0", "display_name": "Win.Malware.Tofsee-6880878-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Kryptik-PLL", "display_name": "Win32:Kryptik-PLL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2407, "domain": 2321, "hostname": 983, "FileHash-SHA256": 3035, "FileHash-MD5": 228, "FileHash-SHA1": 231, "email": 1, "FilePath": 3 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "231 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e6547f22d43d6d149cac7a", "name": "RedCap Abuse | The 1st Pulse was deleted from OTX . AlienVault", "description": "Another example of target working with a hacker impersonating some7he.sje was not. The hackers had the perfect opportunity to stay attached to Dropbox, photos. microphone and highlighted heavily targets location. || Target was suspicious about several issues related to pair. Hacker has only one piece of equipment for project. Target basically had to give him all , tips, cues and direction for project. If this Pulse is deleted I don't know what to think.", "modified": "2024-10-15T02:02:53.504000", "created": "2024-09-15T03:29:03.699000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "process32nextw", "intel", "ms windows", "united", "pe32", "search", "module load", "t1129", "read c", "default", "path", "write", "malware", "copy", "win32", "suspicious", "unknown", "united kingdom", "set cookie", "as43350 nforce", "script urls", "as55286", "status", "cookie", "trojan", "template", "showing", "entries", "body", "ransom", "meta", "a div", "div div", "ipv4", "script script", "as16276", "france unknown", "link", "span a", "span span", "span", "class", "pragma", "servers", "creation date", "emails", "domain", "expiration date", "cname", "aaaa", "certificate", "lowfitrojan", "hstr", "jsauto25 jun", "pm lowfitrojan", "related pulses", "file samples", "files matching", "show", "endpoints all", "trojan features", "date hash", "as15169 google", "as44273 host", "september", "de indicators", "domains", "hashes", "dynamicloader", "yara detections", "enigmaprotector", "high", "bios", "dynamic", "filehash", "yaxpax", "yapaxi", "zp6axi0", "cuckoo", "name servers", "domains ii", "for privacy", "redacted for", "next", "domain address", "alienvault name", "server", "flag", "contacted hosts", "process details", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata", "overview ip", "address", "files location", "flag united", "hostname", "files domain", "months ago", "created", "email", "modified", "filehashsha1", "filehashsha256", "white cve", "cyber", "xamzexpires300", "twitter", "xor ddos", "xorddos", "hacktool", "bazaarloader", "redcap", "formbook", "locky", "lockbit", "ransomware", "target", "ebury", "virustotal", "crypter", "shadowpad", "corrupt", "cryptor", "android", "xrat", "xtrat", "malicious", "honeypot", "fraud", "already", "behav", "ragnar locker", "swipper", "n\u2205 ip", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "execution", "dock", "persistence", "august", "asnone bulgaria", "sales", "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "whois lookups", "dnssec", "domain name", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "date", "dns replication", "record type", "ttl value", "msms33388520", "data", "cus starizona", "cngo daddy", "authority", "g2 validity" ], "references": [ "TrojanSpy:Win32/Nivdort.DE", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583", "display_name": "ALF:Trojan:Win32/Cassini_ade36583", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "target": null }, { "id": "Ransom:Win32/Wannaren", "display_name": "Ransom:Win32/Wannaren", "target": "/malware/Ransom:Win32/Wannaren" }, { "id": "#LowfiTrojan:JS/Auto25", "display_name": "#LowfiTrojan:JS/Auto25", "target": "/malware/#LowfiTrojan:JS/Auto25" }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Win.Packed.XtremeRAT-9837419-0", "display_name": "Win.Packed.XtremeRAT-9837419-0", "target": null }, { "id": "Win.Packed.Kelios-10023944-0", "display_name": "Win.Packed.Kelios-10023944-0", "target": null }, { "id": "Win.Trojan.Unruy-5885", "display_name": "Win.Trojan.Unruy-5885", "target": null }, { "id": "Ebury", "display_name": "Ebury", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Swipper", "display_name": "Swipper", "target": null }, { "id": "N\u2205 IP", "display_name": "N\u2205 IP", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4315, "FileHash-MD5": 573, "FileHash-SHA1": 550, "FileHash-SHA256": 4114, "domain": 4757, "hostname": 2075, "SSLCertFingerprint": 5, "email": 14, "CIDR": 1 }, "indicator_count": 16404, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85e73efe2e053366ed972", "name": "https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-09-05T06:21:34.047000", "created": "2024-01-30T02:26:59.218000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6145, "URL": 14252, "hostname": 4778, "domain": 6809, "CVE": 3 }, "indicator_count": 32339, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6696b803e3e4bfd92b52547a", "name": "click.bot", "description": "", "modified": "2024-08-15T18:03:45.531000", "created": "2024-07-16T18:12:18.670000", "tags": [ "united", "a domains", "aaaa", "unknown", "script urls", "meta", "moved", "script domains", "super hentai", "passive dns", "body", "date", "porno", "as396982 google", "united kingdom", "servers", "search", "encirca", "creation date", "dnssec", "domain name", "next", "formbook", "historical ssl", "malicious", "july", "malware", "as22612", "entries", "date hash", "avast avg", "scan endpoints", "all scoreblue", "ipv4", "sha1", "sha256", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "ascii text", "windows nt", "hybrid", "accept", "span", "general", "local", "click", "strings", "null", "contact" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1285, "email": 1, "hostname": 370, "URL": 1334, "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 802, "SSLCertFingerprint": 7 }, "indicator_count": 3959, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a39f005c7f0a1c1eb33125", "name": "Formbook", "description": "FormBook is a data stealer that is being distributed as a MaaS. FormBook is available in the dark web market as a Malware-as-Service.\n I n known situations targets were contacted by bad actors via social media accounts Twitter & Facebook.", "modified": "2024-03-21T10:00:24.070000", "created": "2024-01-14T08:44:48.297000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1708, "hostname": 1920, "domain": 2221, "URL": 4822, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10893, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eb9b25110526c6b2a0ada5", "name": "VirTool:MSIL/CryptInject.CF!MTB | Rexxfield? Weird stuff", "description": "", "modified": "2024-03-08T23:11:33.426000", "created": "2024-03-08T23:11:33.426000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65a342310ab3d2c69778d608", "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "771 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eb98d47b74b50cf8ce6797", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-03-08T23:01:40.129000", "created": "2024-03-08T23:01:40.129000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65acace20c18a7d6c5da2e27", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "771 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4880cf26f0feaf9a75648", "name": "Formbook", "description": "", "modified": "2024-02-13T08:03:20.064000", "created": "2024-01-15T01:19:08.041000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a39f005c7f0a1c1eb33125", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1650, "hostname": 1778, "domain": 2102, "URL": 4435, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10187, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65afc9cf333bbda03a18e03c", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-02-13T00:04:59.507000", "created": "2024-01-23T14:14:39.725000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65acace20c18a7d6c5da2e27", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65acace20c18a7d6c5da2e27", "name": "VirTool:Win32/AccessMe | Ghost RAT", "description": "", "modified": "2024-02-13T00:04:59.507000", "created": "2024-01-21T05:34:26.800000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "65a342310ab3d2c69778d608", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a342310ab3d2c69778d608", "name": "VirTool:MSIL/CryptInject.CF!MTB | Rexxfield? Weird stuff", "description": "Remotely accessed device. Alleges Relationship to OTX? What I know is what I've read. Michael Roberts of Rexxfield supposedly assists, attorneys, law enforcement & helps doctors cover their crimes, injects malicious code, honeypots the web, terrorizing SA victims/allegers. Roberts is allegedly a hacker mastermind who shows his face or one of the many profiles of a hacker group targeting Tsara Brashears and https://SafeBae.org. Brashears is linked in malicious websites, Roberts suspect with ex-wife Tracey Richter alleged murderer. This is all crazy, still; Brashears is a real person in danger. I don't get it. I'm stupid", "modified": "2024-02-13T00:04:59.507000", "created": "2024-01-14T02:08:49.638000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "paste", "iocs", "analyze", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "whois whois", "communicating", "contacted", "family", "roots", "lolkek", "redline stealer", "hacktool", "html info", "title rexxfield", "services", "identify", "meta tags", "rexxfield cyber", "investigation", "divi child", "site kit", "google", "united", "unknown", "as24940 hetzner", "germany unknown", "passive dns", "urls", "title", "moved", "scan endpoints", "all octoseek", "body", "cyber stalking", "pornographer", "urls url", "files", "ip address", "execution", "metro", "medium", "show", "search", "ids detections", "yara detections", "win32", "ppi useragent", "installcapital", "http", "packing t1045", "malware", "write", "obsession", "malvertizing", "masquerading", "ipv4", "pulse submit", "url analysis", "cookie", "status", "domain", "creation date", "trojan", "date", "expiration date", "name servers", "trojanclicker", "encrypt", "error", "ransomware", "malware generator", "meta", "for privacy", "aaaa", "komodo", "asnone united", "alfper", "as22612", "nxdomain", "gmt x", "ransom", "virtool", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "california", "false", "pulse pulses", "location united", "as16276", "as14061", "code", "next", "url http", "hostname", "files domain", "files related", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "as13414 twitter", "as32934", "script urls", "a domains", "worm", "entries", "meta http", "window", "select contact", "domain holder", "nexus category", "tackle company", "postal code", "component loop", "apache", "pragma", "value0", "ioc search", "threat analyzer", "hostnames", "dangerous", "target", "targeting", "hacker profile", "cybercrime", "fraud services", "strange", "tsara brashears", "michael roberts", "tracey richter", "voyeurism", "slander", "password", "hijacker" ], "references": [ "https://rexxfield.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "www.akhaltsikhe.gov.ge [Germany?]", "screencasts.rexxfield.com", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "94.130.71.173 [scanning host]", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "Michael Roberts - murder suspect, victim, hacker, PI", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "a.nel.cloudflare.com / api.w.org", "miles.ns.cloudflare.com", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "https://www.google.com/?authuser=0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "TrojanClicker", "display_name": "TrojanClicker", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALFPER:InstallCapital", "display_name": "ALFPER:InstallCapital", "target": null }, { "id": "VirTool:MSIL/CryptInject.CF!MTB", "display_name": "VirTool:MSIL/CryptInject.CF!MTB", "target": "/malware/VirTool:MSIL/CryptInject.CF!MTB" }, { "id": "Win.Malware.Downloadguide-6803841-0", "display_name": "Win.Malware.Downloadguide-6803841-0", "target": null }, { "id": "Win.Packed.kkrunchy-7049457-1", "display_name": "Win.Packed.kkrunchy-7049457-1", "target": null }, { "id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "ALF:HeraklezEval:Trojan:BAT/Musecador", "display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador", "target": null }, { "id": "Backdoor:Win32/Wabot.A", "display_name": "Backdoor:Win32/Wabot.A", "target": "/malware/Backdoor:Win32/Wabot.A" }, { "id": "Ransom:Win32/G And Crab!rfn", "display_name": "Ransom:Win32/G And Crab!rfn", "target": "/malware/Ransom:Win32/G And Crab!rfn" }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "#Lowfi:FOP:VirTool:Win32/Injector", "display_name": "#Lowfi:FOP:VirTool:Win32/Injector", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat", "target": null }, { "id": "InstallBrain", "display_name": "InstallBrain", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Occamy", "display_name": "Occamy", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 130, "FileHash-SHA256": 1524, "URL": 3340, "domain": 1735, "hostname": 1398, "CVE": 1, "email": 6, "SSLCertFingerprint": 2 }, "indicator_count": 8279, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8e4a55f5851279c265c8", "name": "https://www.hallrender.com/attorney/brian-sabey/ Gopher Ransomware ", "description": "", "modified": "2024-02-03T19:04:42.251000", "created": "2024-02-03T19:04:42.251000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b85e73efe2e053366ed972", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85e7056e146f1416eae32", "name": "https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-30T02:26:56.698000", "created": "2024-01-30T02:26:56.698000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "810 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ca37e41ea135fa35b8832", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/ ", "description": "", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T22:21:50.409000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658b74f4a6c53cc8e0f70611", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/", "description": "A report generated by the MITRE ATT&CK\u2122 security team on 26 December 2023 is published on the website of Brian Sabey, the lawyer who brought the UK government to court.", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T00:51:00.982000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658b74ee93a0b0dc9c960cee", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/", "description": "A report generated by the MITRE ATT&CK\u2122 security team on 26 December 2023 is published on the website of Brian Sabey, the lawyer who brought the UK government to court.", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T00:50:54.481000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658449d3f6ec1af2f3aace46", "name": "Qakbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip Qbot zip found in Reddit Honeypot link: https://www.reddit.com/user backdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware malvertizing, fraud services, leads to full control of badly compromised digital profile.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T14:21:07.435000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach", "password stealer", "active threat", "apple", "pinkslipbot", "icloud", "free", "apple" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "https://tulach.cc/ [Botnet phishing]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user [honeypot]", "beacons.bcp.gvt.com [tracking]", "https://www.norad.mil/ [tracking]", "www.norad.mil [tracking]", "www.apple.com [API property call]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "yesporn.fun", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "114.114.114.114 [Tulach | Virus Network IP]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 124, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8736, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3566, "domain": 1516, "hostname": 2221, "CVE": 6 }, "indicator_count": 17487, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6583e3acc7f464d48a3503d1", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:16.695000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6583e3a2d1432cbf9054d26d", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:06.936000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6563ca952c89a2affe9e732e", "name": "http://hdtvlive.xyz/mobile.apk", "description": "", "modified": "2023-12-26T22:03:15.079000", "created": "2023-11-26T22:45:41.590000", "tags": [ "whois record", "whois whois", "ssl certificate", "deepscan", "sodinokibi", "tag count", "jul jan", "tue feb", "threat report", "ip summary", "url summary", "summary", "sample", "first", "detection list", "blacklist http", "cisco umbrella", "site", "alexa top", "million", "safe site", "alexa", "cve20188453", "malware site", "malware", "malicious site", "artemis", "unsafe", "cnc server", "tracker", "cnc feodo", "cyber threat", "threats et", "united", "cronup threat", "emotet ip", "blocklist", "et cnc", "phishing", "emotet", "zbot", "bank", "malicious", "facebook", "feodo", "virustotal", "dropper", "team", "suppobox", "ransomware", "ramnit", "recent emotet", "pattern match", "root ca", "done adding", "catalog file", "file", "ascii text", "authority", "appdata", "class", "date", "unknown", "generator", "error", "hybrid", "accept", "general", "local", "twitter", "click", "strings", "critical", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Italy", "Ireland" ], "malware_families": [ { "id": "Recent Emotet", "display_name": "Recent Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 523, "FileHash-SHA1": 275, "FileHash-SHA256": 2482, "domain": 1757, "hostname": 1234, "URL": 4946, "CVE": 4 }, "indicator_count": 11221, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6563ca913b90e747f45027c3", "name": "http://hdtvlive.xyz/mobile.apk", "description": "", "modified": "2023-12-26T22:03:15.079000", "created": "2023-11-26T22:45:37.305000", "tags": [ "whois record", "whois whois", "ssl certificate", "deepscan", "sodinokibi", "tag count", "jul jan", "tue feb", "threat report", "ip summary", "url summary", "summary", "sample", "first", "detection list", "blacklist http", "cisco umbrella", "site", "alexa top", "million", "safe site", "alexa", "cve20188453", "malware site", "malware", "malicious site", "artemis", "unsafe", "cnc server", "tracker", "cnc feodo", "cyber threat", "threats et", "united", "cronup threat", "emotet ip", "blocklist", "et cnc", "phishing", "emotet", "zbot", "bank", "malicious", "facebook", "feodo", "virustotal", "dropper", "team", "suppobox", "ransomware", "ramnit", "recent emotet", "pattern match", "root ca", "done adding", "catalog file", "file", "ascii text", "authority", "appdata", "class", "date", "unknown", "generator", "error", "hybrid", "accept", "general", "local", "twitter", "click", "strings", "critical", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Italy", "Ireland" ], "malware_families": [ { "id": "Recent Emotet", "display_name": "Recent Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 523, "FileHash-SHA1": 275, "FileHash-SHA256": 2482, "domain": 1757, "hostname": 1234, "URL": 4946, "CVE": 4 }, "indicator_count": 11221, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656aafce24b001cba328dcbc", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-12-02T04:17:18.188000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a947431aca6a0666c11b4", "name": " RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "", "modified": "2023-12-22T15:02:57.858000", "created": "2023-12-02T02:20:36.922000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655e3debccfb06fb9580b69d", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655e3debccfb06fb9580b69d", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:11.982000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655e3de9eb518e46e96e9fd4", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:09.675000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6558c481715409563073cb79", "name": "Fraud Services", "description": "http://kramtechnology.com/, fraud services, network, rat, trojan, phishing, malvertizing, malware hosting, scanning host, archives browser events.", "modified": "2023-12-18T05:05:36.760000", "created": "2023-11-18T14:04:48.923000", "tags": [ "methodpost", "dropped", "contacted", "ssl certificate", "whois record", "zva8k4ghshhpcb5", "contacted urls", "q0gpyr1balpdgpo", "historical ssl", "page dow", "blacklist http", "cisco umbrella", "site", "alexa top", "safe site", "million", "paypal", "team phishing", "malicious url", "alexa", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "malware", "united", "passive dns", "scan endpoints", "all search", "otx octoseek", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "twitter", "log id", "gmtn", "sectigo rsa", "secure server", "tls web", "salford", "sectigo limited", "ocsp", "false", "california", "british virgin", "locality", "d3 a5", "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14816, "FileHash-MD5": 41, "FileHash-SHA1": 33, "FileHash-SHA256": 5158, "domain": 3758, "hostname": 2961, "email": 4, "SSLCertFingerprint": 3, "CVE": 3 }, "indicator_count": 26777, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654d2a2e6cbc20fac8504fe5", "name": "Infected.WebPage", "description": "", "modified": "2023-12-08T01:04:05.677000", "created": "2023-11-09T18:51:26.957000", "tags": [ "scan endpoints", "all search", "otx octoseek", "url http", "new pulse", "existing pulse", "http", "ip address", "passive dns", "related nids", "search live", "api blog", "docs pricing", "login", "november", "de summary", "london", "united kingdom", "google safe", "europelondon", "windows nt", "win64", "khtml", "gecko", "veryhigh", "date", "servers", "hashes files", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "body", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "contacted", "whois record", "whois whois", "execution", "resolutions", "communicating", "referrer", "pe resource", "bundled", "flawedammyy", "metamorfo", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "filerepmalware", "heur", "cisco umbrella", "site", "safe site", "malware", "alexa top", "million", "malicious site", "malware site", "phishing site", "artemis", "outbreak", "dropper", "unsafe", "trojanx", "phishing", "agent", "installcore", "acint", "conduit", "iobit", "mediaget", "crack", "mimikatz", "alexa", "rostpay", "installpack", "predator", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "trojan", "irata", "utorrent", "generic", "yakes", "adposhel", "crypt", "wacatac", "riskware", "blacknet rat", "stealer", "xrat", "downldr", "malicious", "trojanspy", "webtoolbar", "maltiverse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "654af6cf6bee02fafb173522", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 3390, "URL": 2779, "CIDR": 1, "hostname": 1228, "domain": 698, "CVE": 5 }, "indicator_count": 8328, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654af6ca6354bcdb604e2e85", "name": "Infected.WebPage", "description": "Auto populated statement:\n\"Researchers\" have been analysing more than 1,000 samples of malware in an attempt to identify and identify the most common types of cyber-crime and its impact on the public and private networks.\"\nBehavesLike.HTML.Redirector", "modified": "2023-12-08T01:04:05.677000", "created": "2023-11-08T02:47:38.907000", "tags": [ "scan endpoints", "all search", "otx octoseek", "url http", "new pulse", "existing pulse", "http", "ip address", "passive dns", "related nids", "search live", "api blog", "docs pricing", "login", "november", "de summary", "london", "united kingdom", "google safe", "europelondon", "windows nt", "win64", "khtml", "gecko", "veryhigh", "date", "servers", "hashes files", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "body", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "contacted", "whois record", "whois whois", "execution", "resolutions", "communicating", "referrer", "pe resource", "bundled", "flawedammyy", "metamorfo", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "filerepmalware", "heur", "cisco umbrella", "site", "safe site", "malware", "alexa top", "million", "malicious site", "malware site", "phishing site", "artemis", "outbreak", "dropper", "unsafe", "trojanx", "phishing", "agent", "installcore", "acint", "conduit", "iobit", "mediaget", "crack", "mimikatz", "alexa", "rostpay", "installpack", "predator", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "trojan", "irata", "utorrent", "generic", "yakes", "adposhel", "crypt", "wacatac", "riskware", "blacknet rat", "stealer", "xrat", "downldr", "malicious", "trojanspy", "webtoolbar", "maltiverse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 3390, "URL": 2779, "CIDR": 1, "hostname": 1228, "domain": 698, "CVE": 5 }, "indicator_count": 8328, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654af6cf6bee02fafb173522", "name": "Infected.WebPage", "description": "Auto populated statement:\n\"Researchers\" have been analysing more than 1,000 samples of malware in an attempt to identify and identify the most common types of cyber-crime and its impact on the public and private networks.\"\nBehavesLike.HTML.Redirector", "modified": "2023-12-08T01:04:05.677000", "created": "2023-11-08T02:47:43.205000", "tags": [ "scan endpoints", "all search", "otx octoseek", "url http", "new pulse", "existing pulse", "http", "ip address", "passive dns", "related nids", "search live", "api blog", "docs pricing", "login", "november", "de summary", "london", "united kingdom", "google safe", "europelondon", "windows nt", "win64", "khtml", "gecko", "veryhigh", "date", "servers", "hashes files", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "body", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "contacted", "whois record", "whois whois", "execution", "resolutions", "communicating", "referrer", "pe resource", "bundled", "flawedammyy", "metamorfo", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "filerepmalware", "heur", "cisco umbrella", "site", "safe site", "malware", "alexa top", "million", "malicious site", "malware site", "phishing site", "artemis", "outbreak", "dropper", "unsafe", "trojanx", "phishing", "agent", "installcore", "acint", "conduit", "iobit", "mediaget", "crack", "mimikatz", "alexa", "rostpay", "installpack", "predator", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "trojan", "irata", "utorrent", "generic", "yakes", "adposhel", "crypt", "wacatac", "riskware", "blacknet rat", "stealer", "xrat", "downldr", "malicious", "trojanspy", "webtoolbar", "maltiverse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 3390, "URL": 2779, "CIDR": 1, "hostname": 1228, "domain": 698, "CVE": 5 }, "indicator_count": 8328, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "72.167.124.187 [phishing]", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "business-support.intel.com", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]", "https://tulach.cc/ [phishing]", "https://rexxfield.com/", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "apple-securityiphone-icloud.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "IPv4 198.54.117.212 command_and_control", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "114.114.114.114 [Tulach | Virus Network IP]", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "tx-p2p-pull.video-voip.com.dorm.com", "00000000000.cloudfront.net", "https://tulach.cc/ [Botnet phishing]", "api.useragentswitch.com", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location", "https://www.reddit.com/user", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "tvapp-server.de", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused", "dns.google (DNS client services - Doug Cole)", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://browntubeporn.com/tsara-brashearsAccept-Language", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "Alerts: nids_malware_alert network_icmp persistence_autorun", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "I unintentionally made the first pulse Public.", "appleremote.net", "IPv4 198.54.117.218 command_and_control", "http://medlineplus.gov.https.sci-hub.st", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484", "malicious.high.ml [dropper]", "mortis.com", "yesporn.fun", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "tulach.cc. [Malevolent | Modified description]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]", "https://www.google.com/?authuser=0", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "http://watchhers.net/index.php", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "remotewd.com device local", "Doing any evil thing for mone does not compute for me.", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "On same block with HalkRender. Has close working relationship. All Palantir legal enities", "http://apple.helptechnicalsupport.com/favicon.ico", "freeimdatingsites.thomasdobo.eu", "https://www.norad.mil/ [tracking]", "applephonenw.com [governmentattic]", "FormBook", "www.apple.com [API property call]", "Traceback- Man with signal jammer/ deauther working around her today.", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "*otc.greatcall.com [Botnetwork]", "https://www.mccormick-designs.com", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://id.security.trackid", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "198.54.115.46 [exploit_source]", "zeustracker.abuse.ch", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "http://updates.voicemailaccess.net/b0f6a00b15311023", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.reddit.com/user [honeypot]", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "94.130.71.173 [scanning host]", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "https://www.sweetheartvideo.com/model/63710/brandi-love", "103.233.208.9 (CNC IP)", "142.250.180.4 (init.ess)", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.journaldev.com/41403/regex", "gahyqah.com [command_and_control]", "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "https://www.vgt.pl/favicon.ico", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "Michael Roberts - murder suspect, victim, hacker, PI", "IPv4 198.54.117.217 command_and_control", "beacons.bcp.gvt.com [tracking]", "https://www.hallrender.com/attorney/brian-sabey/", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "https://www.sweetheartvideo.com/scenes?models=63710", "pornhub-e.com \u2022 www.pornhub.com \u2022", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "assassinationmarkets.com", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "http://www.sheraises.com/wcur/ [phishing]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "www.norad.mil [tracking]", "ransomwaretracker.abuse.ch", "98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "miles.ns.cloudflare.com", "He must be very scary like Peter Theil because every attorney took case then backed off.", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "http://mcbut.live (Not present? Absent today - unexcused)", "http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "nr-data.net", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "artificial-legal-intelligence.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "thecomments.app", "Michael Roberts Australia, Germany, Iowa, New York Friend of Ben", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "www.akhaltsikhe.gov.ge [Germany?]", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "www.jamesbgriffinlaw.com (toolbox)", "http://tracks.theleders.family", "hasownproperty.call", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "nr-data.net [Apple Private Data Collection]", "gadyniw.com [command_and_control]", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "mobileaccess.intel.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki", "IPv4 198.54.117.215 command_and_control", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "photos.theleders.family", "\u2193Interesting\u2193", "http://pl.gov-zaloguj.info", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "screencasts.rexxfield.com", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "galyqaz.com [command_and_control]", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "IPv4 198.54.117.211 command_and_control", "http://mobtrack.trkclk.net", "puzylyp.com [command_and_control]", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "apex.jquery.com (scammer | works for who?)", "https://urlscan.io/domain/maxwam.tk", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "emails.redvue.com (apple DNS w/amvima)", "a.nel.cloudflare.com / api.w.org", "lyvyxor.com [command_and_control]", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "louisianarooflawyers.com [phishing]", "IPv4 198.54.117.210 command_and_control", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "TrojanSpy:Win32/Nivdort.DE", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "apple-dns.net", "http://intel.net/.about.html", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Qbot" ], "malware_families": [ "Hawkeye", "Win.trojan.nsis-41", "Installbrain", "Occamy", "Swrort", "Generic", "Backdoor:win32/tofsee.t", "Matsnu", "Quasar", "Alf:heraklezeval:trojanclicker:js/faceliker", "Trojan:win32/neconyd.a", "Trojan:win32/generic", "Swipper", "Win.trojan.unruy-5885", "Pykspa", "Lolkek", "Dorkbot", "Betabot", "Ransom:win32/wannaren", "Worm:win32/fesber.a", "#lowfi:hstr:trojanspy:win32/xtrat", "Alf:cert:bandoo", "Trojan:win32/mydoom", "Slingshot", "Expiro", "Zeus", "Formbook", "Virut", "Neutrino", "Kraken", "Alf:heraklezeval:trojan:bat/musecador", "Ransomware", "#lowfitrojan:js/auto25", "Covid19", "Ebury", "Alfper:installcapital", "Alf:jasyp:trojandownloader:win32/startpage!atmn", "Ramnit", "Gopher", "Hydra", "Alinaos", "Emotet", "Dexter", "Win.packed.kelios-10023944-0", "States", "Alf:heraklezeval:trojandownloader:win32/unruy!rfn", "Grandcrab", "Trojandownloader:win32/upatre.o", "Win.malware.unsafe", "Ransom:win32/haperlock", "Bondat", "Roblox", "Plasma rat", "Solar", "Andromeda", "Gregory", "Adaptivebee", "Spyeye", "Trojan:win32/startpage", "Virtool:msil/cryptinject.cf!mtb", "Et", "Win.malware.downloadguide-6803841-0", "Sality", "Trojanspy:win32/nivdort.de", "Artro", "Win32:malware-gen", "Mediamagnet", "Beach research", "Backdoor:win32/wabot.a", "Trojanx", "Tulach malware", "Alf:heraklezeval:softwarebundler:win32/prepscram", "Win32:kryptik-pll", "Alf:heraklezeval:trojandownloader:win32/unruy", "Vskimmer", "Nanocore rat", "Njrat", "Bambernek", "Trojandownloader:win32/upatre", "Win.packed.xtremerat-9837419-0", "Suppobox", "Ransom:win32/teerac.a", "Pinkslipbot", "Hacktool", "Trojanspy:win32/bradesco", "Cutwail", "#lowfi:hstr:win32/airinstaller.b", "Win.malware.qshell-9875653-0", "Worm:win32/autorun", "Hidelink", "Simda", "Agent tesla", "Ascii", "Win.malware.tofsee-6880878-0", "Ransom:win32/wannacrypt.a!rsm", "Athena", "Alf:trojan:win32/cassini_ade36583", "Iobit", "Trojanspy:win32/nivdort", "Xrat", "Alf:heraklezeval:pua:win32/imali", "Redline stealer", "#lowfi:fop:virtool:win32/injector", "Trojan:win32/qshell", "Win.dropper.remcos-9970861-0", "Trojanclicker", "Other", "Ghost rat", "Zbot", "Blacknet", "Trojanspy", "Gamehack", "Citadel", "Locky", "Win.trojan.airinstall-1", "Maltiverse", "Webtoolbar", "Installcore", "Artemis", "Trojandownloader:win32/upatre.a", "Spitmo", "Trojan:win32/qbot.r!mtb", "Recent emotet", "Azorult", "N\u2205 ip", "Ransom:win32/g and crab!rfn", "Win.trojan", "Cobalt strike", "Tulach", "Nymaim", "Pony", "Trojan:win32/emotet.pc!mtb", "Ascii exploit", "Unruy", "Win.packed.kkrunchy-7049457-1", "Trojan:win32/emotet.kds!mtb", "Qakbot", "Vawtrak", "Infy", "Nsis", "Tofsee", "Jaik", "Virtool:win32/injector.gen!bq", "Win.trojan.zbot-64721", "Juko" ], "industries": [ "Technology", "Telecommunications", "Legal", "Healthcare", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69b49ad5dd40a24d83cd6a72", "name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-03-13T23:16:37.716000", "created": "2026-03-13T23:16:37.716000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69631fbd16e306ee2b76c4da", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b496396ca4987e95ad37d1", "name": "Chris Buzz by QVashni (wow)", "description": "", "modified": "2026-03-13T22:56:57.314000", "created": "2026-03-13T22:56:57.314000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69482caa00d327da8f0a87bc", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b49587dd104e342dda1628", "name": "C Ahman Attorney Clone by Top Tier, Q.Vashti", "description": "", "modified": "2026-03-13T22:53:59.112000", "created": "2026-03-13T22:53:59.112000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69631fbd16e306ee2b76c4da", "name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2026-01-11T03:57:49.242000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "695557ee134b978b00883c29", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695557ee134b978b00883c29", "name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-31T17:05:50.134000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69482caa00d327da8f0a87bc", "name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)", "description": "", "modified": "2026-01-20T17:02:02.650000", "created": "2025-12-21T17:21:46.434000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691f4d4ef0a2a570b8b21cd2", "name": "Chris P. Ahmann Colorado State Criminal Defense Attorney", "description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.", "modified": "2026-01-20T17:02:02.650000", "created": "2025-11-20T17:18:06.929000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "reactbanner.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "reactbanner.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776616751.4145327 }