{ "type": "Domain", "indicator": "uzzipay.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/uzzipay.com", "alexa": "http://www.alexa.com/siteinfo/uzzipay.com", "indicator": "uzzipay.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3779075839, "indicator": "uzzipay.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69d1f8041acb7d71607578f3", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T06:02:06.057000", "created": "2026-04-05T05:49:56.708000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1f8066431fee3647fa5ff", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T05:53:01.644000", "created": "2026-04-05T05:49:58.156000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387, "CVE": 6 }, "indicator_count": 3894, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c62306c74c7f57dc993d13", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:05:58.793000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c62316b24b23e6d4c579ef", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:06:14.853000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Too much to search for", "display_name": "Too much to search for", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68596260a9ca6c4cc92ca068", "name": "Delete service | Affects Threat Research Platforms", "description": "Delete service attacking threat researchers platforms. Deletes , blocks, scrambles , attaches to accounts like an overlord monitoring and deletion of Io\u2019s across various platforms. \n\nIDS Rules: PROTOCOL-ICMP PATH MTU denial of service attempt\n\u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\u2022 Matches rule PROTOCOL-ICMP Echo Reply\nInteresting: TLS: SNI: slscr.update.microsoft.com\nSNI: nexusrules.officeapps.live.com\nSNI: login.live.com\nSNI: client.wns.windows.com", "modified": "2025-08-20T04:13:22.641000", "created": "2025-06-23T14:19:12.328000", "tags": [ "ta0004 defense", "evasion ta0005", "command", "control ta0011", "oc0006", "get http", "resolved ips", "dns resolutions", "request", "response", "windows nt", "win64", "khtml", "gecko", "ip address", "country name", "cname", "port", "accept", "gmt ifnonematch", "url data", "icmp", "mutexes nothing", "data", "datacrashpad", "edge", "created", "nothing", "html internet", "html document", "ascii text", "gtmkvjvztk dl" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2401, "URL": 5856, "FileHash-SHA256": 3473, "domain": 2188, "FileHash-MD5": 123, "FileHash-SHA1": 120, "CVE": 2 }, "indicator_count": 14163, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68730c407f8484c524c2d7f4", "name": "The Denver Post used for Fake news | Foundry | Twitter | Porn", "description": "Is the Denver Post a honey pot? Portal? Used for investigating? Smear campaigns? \n\nVictims reported for multiple years their names have been advertised in malicious red report campaigns, obituaries, threats. This has been true of the Ricky Mountain News which has been out of business for years and Denver Post.\n\n\nI can\u2019t annotate so I can\u2019t include references.\nReferences:\nFoundry\nTwitter\nDouglas Undersheriff who was either being smeared or heading a smear campaign.\nPorn\nTwitter \nInjured worker\u2019s compensation targets with la he loss including death.\nThey don\u2019t want to pay. Crazy fact: Workers compensation keeps the nearly a billion $ annually tax free. Does not want to pay. Bonuses doctors and anyone who will deny truly injured workers their compensation. \n#callthecopsifyousee_o-o_t_pac", "modified": "2025-08-12T01:02:51.771000", "created": "2025-07-13T01:30:40.917000", "tags": [ "gtmtlfp4r", "utc gtmtlfp4r", "domains", "hashes", "reverse dns", "url https", "general full", "united", "security tls", "resource", "protocol h2", "software", "hash", "name value", "main", "spurlock", "carlos illescas", "wordpress", "denver post", "server nginx", "date sun", "gmt contenttype", "connection", "wordpress vip", "https", "link", "json", "contentencoding", "miss xrq", "value", "july", "variables", "osano function", "gpp function", "tcfapi function", "uspapi", "mg2 string", "bcclass", "dfmadmodslevel", "xblocker", "extraction", "data upload", "extrac", "included data", "review ious", "u excluded", "suggesteroo", "ony incude", "failed", "so type", "extra data", "includec review", "exclude suggest", "find s", "s type", "ur extraction", "extract", "included ic", "review ioc", "type no", "extri", "include review", "exclude sugges", "typ filel", "filet filet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1774, "FileHash-SHA256": 3808, "domain": 373, "FileHash-MD5": 155, "FileHash-SHA1": 135, "hostname": 1156 }, "indicator_count": 7401, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f9980dbc0f1360dfdb7ac5", "name": "fbf29190e5e37fdd3962682e44b092fe8158b09deaf83cc2052c97d2a80e59ee // hxxp://www[.]microsoft[.]com/pkiops/crl/MicSecSerCA2011_2011-10-18[.]crl", "description": "https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark\n\nVT Graph of: fbf29190e5e37fdd3962682e44b092fe8158b09deaf83cc2052c97d2a80e59ee // hxxp://www[.]microsoft[.]com/pkiops/crl/MicSecSerCA2011_2011-10-18[.]crl", "modified": "2024-10-31T22:02:55.263000", "created": "2024-09-29T18:10:21.653000", "tags": [ "entity", "Certificates", "Malcerts" ], "references": [ "https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark", "http://www.hybrid-analysis.com/file-collection/66fac68ee418a841c80f2f92", "http://www.hybrid-analysis.com/file-collection/66fac9127c919f69780c6f51", "http://www.hybrid-analysis.com/file-collection/66faca03bf2d577d0707447e", "http://www.hybrid-analysis.com/file-collection/66faca7c1e2a6e5879090c09", "http://www.hybrid-analysis.com/file-collection/66facaef84282adfb805d499", "http://www.hybrid-analysis.com/file-collection/66fac600ca930ea26b059ede", "http://www.hybrid-analysis.com/file-collection/66fac890b85c51f0a00bb153", "http://www.hybrid-analysis.com/file-collection/66fac7f30821b4aa5f0666ed", "http://www.hybrid-analysis.com/file-collection/66fac7871e2a6e58790909fe", "http://www.hybrid-analysis.com/file-collection/66fac6de4c7499ee5303356c", "http://www.hybrid-analysis.com/file-collection/66fac978202166e31d059f2e", "http://www.hybrid-analysis.com/file-collection/66fac56e9086d458e6064fea", "https://urlscan.io/api/v1/result/5dea4d73-564a-4a37-88ef-da841b2bb274/", "https://urlscan.io/result/5dea4d73-564a-4a37-88ef-da841b2bb274/", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/community", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/iocs", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Technology", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 793, "FileHash-SHA1": 716, "FileHash-SHA256": 9805, "URL": 2314, "domain": 1937, "hostname": 2958, "CVE": 21 }, "indicator_count": 18544, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "534 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6546cf78627adef6562a97aa", "name": "Browser Malware Attack", "description": "Attacking my browser to identify.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "modified": "2023-12-04T22:00:43.514000", "created": "2023-11-04T23:10:48.676000", "tags": [ "united", "facebook", "phishtank", "detection list", "ip address", "blacklist", "paypal", "cisco umbrella", "site", "alexa top", "safe site", "million", "malicious url", "malware site", "malicious site", "malware", "name verdict", "falcon sandbox", "reports no", "speci", "efr1", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "et tor", "known tor", "relayrouter", "date", "unknown", "general", "hybrid", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "phishing site", "heur", "cyber threat", "unsafe", "riskware", "phishing", "bank", "service", "artemis", "team", "xtrat", "agent", "xrat", "filetour", "exploit", "conduit", "opencandy", "fusioncore", "orkut", "steam", "genkryptik", "runescape", "presenoker", "ramnit", "msil", "crack", "tofsee", "suppobox", "malicious", "simda", "vawtrak", "hotmail", "generic", "webtoolbar", "hsbc", "maltiverse", "ip summary", "url summary", "summary", "sample", "samples", "count blacklist", "tag count", "downldr", "cleaner", "iframe", "wacatac", "alexa", "win64", "swrort", "installcore", "azorult", "download", "blacknet rat", "stealer", "softcnapp", "nircmd", "unruy", "patcher", "adload", "dropper", "installpack", "tiggre", "gamehack", "trojanspy", "germany http", "attacker", "static engine", "internet storm", "center", "passive dns", "urls", "scan endpoints", "all search", "otx scoreblue", "url http", "pulse pulses", "http", "related nids" ], "references": [ "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "object.prototype.hasownproperty.call", "hasownproperty.call", "a.default.meta.applestore.id", "applestore.id", "http://decafsmob.this.id", "id.google.com", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://git.io/yBU2rg", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "http://tracking.3061331.corn10wuk.club", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "apps.apple.com/us/app/id$", "t.name", "http://e.id?e.id:e.id.getAttribute", "location.search", "https://dnsorangetel.dn2.n-helix.com", "1080p-torrent.ml", "states.app", "dev-2.ernestatech.com", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "209.85.145.113 [malware]", "cdn.fuckporntube.com", "www.search.app.goo.gl", "apps.apple.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "globalworker1.sol.us", "worker-m-tlcus1.sol.us" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Ireland", "Singapore" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1015, "hostname": 1309, "FileHash-MD5": 466, "FileHash-SHA1": 255, "FileHash-SHA256": 3783, "URL": 4001, "CVE": 9, "email": 3 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "866 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6546d0120a7e479fecffe2b1", "name": "Browser Malware Attack", "description": "Attacking browser to identify researcher.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "modified": "2023-12-04T22:00:43.514000", "created": "2023-11-04T23:13:21.883000", "tags": [ "united", "facebook", "phishtank", "detection list", "ip address", "blacklist", "paypal", "cisco umbrella", "site", "alexa top", "safe site", "million", "malicious url", "malware site", "malicious site", "malware", "name verdict", "falcon sandbox", "reports no", "speci", "efr1", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "et tor", "known tor", "relayrouter", "date", "unknown", "general", "hybrid", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "phishing site", "heur", "cyber threat", "unsafe", "riskware", "phishing", "bank", "service", "artemis", "team", "xtrat", "agent", "xrat", "filetour", "exploit", "conduit", "opencandy", "fusioncore", "orkut", "steam", "genkryptik", "runescape", "presenoker", "ramnit", "msil", "crack", "tofsee", "suppobox", "malicious", "simda", "vawtrak", "hotmail", "generic", "webtoolbar", "hsbc", "maltiverse", "ip summary", "url summary", "summary", "sample", "samples", "count blacklist", "tag count", "downldr", "cleaner", "iframe", "wacatac", "alexa", "win64", "swrort", "installcore", "azorult", "download", "blacknet rat", "stealer", "softcnapp", "nircmd", "unruy", "patcher", "adload", "dropper", "installpack", "tiggre", "gamehack", "trojanspy", "germany http", "attacker", "static engine", "internet storm", "center", "passive dns", "urls", "scan endpoints", "all search", "otx scoreblue", "url http", "pulse pulses", "http", "related nids" ], "references": [ "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "object.prototype.hasownproperty.call", "hasownproperty.call", "a.default.meta.applestore.id", "applestore.id", "http://decafsmob.this.id", "id.google.com", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://git.io/yBU2rg", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "http://tracking.3061331.corn10wuk.club", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "apps.apple.com/us/app/id$", "t.name", "http://e.id?e.id:e.id.getAttribute", "location.search", "https://dnsorangetel.dn2.n-helix.com", "1080p-torrent.ml", "states.app", "dev-2.ernestatech.com", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "209.85.145.113 [malware]", "cdn.fuckporntube.com", "www.search.app.goo.gl", "apps.apple.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "globalworker1.sol.us", "worker-m-tlcus1.sol.us" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Ireland", "Singapore" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1015, "hostname": 1309, "FileHash-MD5": 466, "FileHash-SHA1": 255, "FileHash-SHA256": 3783, "URL": 4001, "CVE": 9, "email": 3 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "866 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "http://e.id?e.id:e.id.getAttribute", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "states.app", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/iocs", "http://www.hybrid-analysis.com/file-collection/66fac600ca930ea26b059ede", "http://www.hybrid-analysis.com/file-collection/66fac56e9086d458e6064fea", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "(Can't access file- Malware infection files)", "http://www.hybrid-analysis.com/file-collection/66faca7c1e2a6e5879090c09", "http://git.io/yBU2rg", "http://www.hybrid-analysis.com/file-collection/66fac890b85c51f0a00bb153", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "https://urlscan.io/result/5dea4d73-564a-4a37-88ef-da841b2bb274/", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "http://www.hybrid-analysis.com/file-collection/66fac978202166e31d059f2e", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "applestore.id", "http://www.hybrid-analysis.com/file-collection/66fac6de4c7499ee5303356c", "apps.apple.com/us/app/id$", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/graph", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev", "1080p-torrent.ml", "t.name", "http://www.hybrid-analysis.com/file-collection/66fac68ee418a841c80f2f92", "https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark", "blog.manpowergroup.com.py (aww like dadvocates)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "a.default.meta.applestore.id", "hasownproperty.call", "All #tags auto populated.", "http://www.hybrid-analysis.com/file-collection/66facaef84282adfb805d499", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "http://www.hybrid-analysis.com/file-collection/66fac7f30821b4aa5f0666ed", "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "www.search.app.goo.gl", "https://urlscan.io/api/v1/result/5dea4d73-564a-4a37-88ef-da841b2bb274/", "http://decafsmob.this.id", "globalworker1.sol.us", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "209.85.145.113 [malware]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "http://www.hybrid-analysis.com/file-collection/66faca03bf2d577d0707447e", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "location.search", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "object.prototype.hasownproperty.call", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "worker-m-tlcus1.sol.us", "https://link.monetizer101.com/widget/code/dailystaruk.js", "http://www.hybrid-analysis.com/file-collection/66fac7871e2a6e58790909fe", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "id.google.com", "apps.apple.com", "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "cdn.fuckporntube.com", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Remotewd.com devices", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/community", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "dev-2.ernestatech.com", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "http://www.hybrid-analysis.com/file-collection/66fac9127c919f69780c6f51", "sentient.industries affects independent artists. Affects several others.", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "https://dnsorangetel.dn2.n-helix.com", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "If you find anything interesting please research it.", "http://tracking.3061331.corn10wuk.club", "constellation.pcfrpegaservice.net (Pegasus related? idk)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojandropper:win32/muldrop.v!mtb", "Trojan:win32/blihan.a", "Win.malware.tfuvtcog-7194372-0", "Pws", "Ddos:win32/stormser.a", "Alf:jasyp:pua:win32/bibado", "Code overlap", "Nufs_inno", "Ransom", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Script exploit", "Hsbc", "Trojan.win32.banload", "Trojan:win32/glupteba.mt!mtb", "Win.malware.midie-6847892-0", "Win32:downloader-gjk\\ [trj]", "Win.packed.razy-9785185-0", "Trojan.win32.fakemalard", "E5", "Alf:hstr:dotnet", "Hacktool:win32/autokms", "Trojan:win32/zombie.a", "#lowfi:hstr:msil/malicious.decryption", "#lowfi:hstr:msil/malicious", "Gamehack", "Win.trojan.jorik-149", "Win32/nemucod", "Alf:heraklezeval:trojandownloader:html/adodb!rfn", "Win.trojan.jorik-130", "Xanfpezes.a", "Trojan:win32/gandcrab", "Win.trojan.bulz-9860169-0", "Formbook", "Win.malware.kolab-9885903-0", "Trojan:win32/zbot.sibl!mtb", "Win.malware (30)", "Mydoom", "Maltiverse", "Win.trojan.generic-9862772-0", "Trojandropper:win32/muldrop", "Trojan:win32/toga", "#lowfienabledtcontinueafterunpacking", "Dotnet", "Win.trojan.fakecodecs-119", "Malware", "Win.downloader.109205-1", "Custom malware", "Webtoolbar", "#lowfi:aggregator:hasknownadwaredomain_nsisbundler.", "Trojanspy", "#lowfidetectsvmware", "Too much to search for" ], "industries": [ "Healthcare", "Medical", "Government", "Technology", "Education", "Media", "Telecommunications", "Government." ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69d1f8041acb7d71607578f3", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T06:02:06.057000", "created": "2026-04-05T05:49:56.708000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1f8066431fee3647fa5ff", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T05:53:01.644000", "created": "2026-04-05T05:49:58.156000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387, "CVE": 6 }, "indicator_count": 3894, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c62306c74c7f57dc993d13", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:05:58.793000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c62316b24b23e6d4c579ef", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:06:14.853000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Too much to search for", "display_name": "Too much to search for", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68596260a9ca6c4cc92ca068", "name": "Delete service | Affects Threat Research Platforms", "description": "Delete service attacking threat researchers platforms. Deletes , blocks, scrambles , attaches to accounts like an overlord monitoring and deletion of Io\u2019s across various platforms. \n\nIDS Rules: PROTOCOL-ICMP PATH MTU denial of service attempt\n\u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\u2022 Matches rule PROTOCOL-ICMP Echo Reply\nInteresting: TLS: SNI: slscr.update.microsoft.com\nSNI: nexusrules.officeapps.live.com\nSNI: login.live.com\nSNI: client.wns.windows.com", "modified": "2025-08-20T04:13:22.641000", "created": "2025-06-23T14:19:12.328000", "tags": [ "ta0004 defense", "evasion ta0005", "command", "control ta0011", "oc0006", "get http", "resolved ips", "dns resolutions", "request", "response", "windows nt", "win64", "khtml", "gecko", "ip address", "country name", "cname", "port", "accept", "gmt ifnonematch", "url data", "icmp", "mutexes nothing", "data", "datacrashpad", "edge", "created", "nothing", "html internet", "html document", "ascii text", "gtmkvjvztk dl" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2401, "URL": 5856, "FileHash-SHA256": 3473, "domain": 2188, "FileHash-MD5": 123, "FileHash-SHA1": 120, "CVE": 2 }, "indicator_count": 14163, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68730c407f8484c524c2d7f4", "name": "The Denver Post used for Fake news | Foundry | Twitter | Porn", "description": "Is the Denver Post a honey pot? Portal? Used for investigating? Smear campaigns? \n\nVictims reported for multiple years their names have been advertised in malicious red report campaigns, obituaries, threats. This has been true of the Ricky Mountain News which has been out of business for years and Denver Post.\n\n\nI can\u2019t annotate so I can\u2019t include references.\nReferences:\nFoundry\nTwitter\nDouglas Undersheriff who was either being smeared or heading a smear campaign.\nPorn\nTwitter \nInjured worker\u2019s compensation targets with la he loss including death.\nThey don\u2019t want to pay. Crazy fact: Workers compensation keeps the nearly a billion $ annually tax free. Does not want to pay. Bonuses doctors and anyone who will deny truly injured workers their compensation. \n#callthecopsifyousee_o-o_t_pac", "modified": "2025-08-12T01:02:51.771000", "created": "2025-07-13T01:30:40.917000", "tags": [ "gtmtlfp4r", "utc gtmtlfp4r", "domains", "hashes", "reverse dns", "url https", "general full", "united", "security tls", "resource", "protocol h2", "software", "hash", "name value", "main", "spurlock", "carlos illescas", "wordpress", "denver post", "server nginx", "date sun", "gmt contenttype", "connection", "wordpress vip", "https", "link", "json", "contentencoding", "miss xrq", "value", "july", "variables", "osano function", "gpp function", "tcfapi function", "uspapi", "mg2 string", "bcclass", "dfmadmodslevel", "xblocker", "extraction", "data upload", "extrac", "included data", "review ious", "u excluded", "suggesteroo", "ony incude", "failed", "so type", "extra data", "includec review", "exclude suggest", "find s", "s type", "ur extraction", "extract", "included ic", "review ioc", "type no", "extri", "include review", "exclude sugges", "typ filel", "filet filet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1774, "FileHash-SHA256": 3808, "domain": 373, "FileHash-MD5": 155, "FileHash-SHA1": 135, "hostname": 1156 }, "indicator_count": 7401, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f9980dbc0f1360dfdb7ac5", "name": "fbf29190e5e37fdd3962682e44b092fe8158b09deaf83cc2052c97d2a80e59ee // hxxp://www[.]microsoft[.]com/pkiops/crl/MicSecSerCA2011_2011-10-18[.]crl", "description": "https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark\n\nVT Graph of: fbf29190e5e37fdd3962682e44b092fe8158b09deaf83cc2052c97d2a80e59ee // hxxp://www[.]microsoft[.]com/pkiops/crl/MicSecSerCA2011_2011-10-18[.]crl", "modified": "2024-10-31T22:02:55.263000", "created": "2024-09-29T18:10:21.653000", "tags": [ "entity", "Certificates", "Malcerts" ], "references": [ "https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark", "http://www.hybrid-analysis.com/file-collection/66fac68ee418a841c80f2f92", "http://www.hybrid-analysis.com/file-collection/66fac9127c919f69780c6f51", "http://www.hybrid-analysis.com/file-collection/66faca03bf2d577d0707447e", "http://www.hybrid-analysis.com/file-collection/66faca7c1e2a6e5879090c09", "http://www.hybrid-analysis.com/file-collection/66facaef84282adfb805d499", "http://www.hybrid-analysis.com/file-collection/66fac600ca930ea26b059ede", "http://www.hybrid-analysis.com/file-collection/66fac890b85c51f0a00bb153", "http://www.hybrid-analysis.com/file-collection/66fac7f30821b4aa5f0666ed", "http://www.hybrid-analysis.com/file-collection/66fac7871e2a6e58790909fe", "http://www.hybrid-analysis.com/file-collection/66fac6de4c7499ee5303356c", "http://www.hybrid-analysis.com/file-collection/66fac978202166e31d059f2e", "http://www.hybrid-analysis.com/file-collection/66fac56e9086d458e6064fea", "https://urlscan.io/api/v1/result/5dea4d73-564a-4a37-88ef-da841b2bb274/", "https://urlscan.io/result/5dea4d73-564a-4a37-88ef-da841b2bb274/", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/community", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/iocs", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d", "https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Technology", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 793, "FileHash-SHA1": 716, "FileHash-SHA256": 9805, "URL": 2314, "domain": 1937, "hostname": 2958, "CVE": 21 }, "indicator_count": 18544, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "534 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6546cf78627adef6562a97aa", "name": "Browser Malware Attack", "description": "Attacking my browser to identify.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "modified": "2023-12-04T22:00:43.514000", "created": "2023-11-04T23:10:48.676000", "tags": [ "united", "facebook", "phishtank", "detection list", "ip address", "blacklist", "paypal", "cisco umbrella", "site", "alexa top", "safe site", "million", "malicious url", "malware site", "malicious site", "malware", "name verdict", "falcon sandbox", "reports no", "speci", "efr1", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "et tor", "known tor", "relayrouter", "date", "unknown", "general", "hybrid", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "phishing site", "heur", "cyber threat", "unsafe", "riskware", "phishing", "bank", "service", "artemis", "team", "xtrat", "agent", "xrat", "filetour", "exploit", "conduit", "opencandy", "fusioncore", "orkut", "steam", "genkryptik", "runescape", "presenoker", "ramnit", "msil", "crack", "tofsee", "suppobox", "malicious", "simda", "vawtrak", "hotmail", "generic", "webtoolbar", "hsbc", "maltiverse", "ip summary", "url summary", "summary", "sample", "samples", "count blacklist", "tag count", "downldr", "cleaner", "iframe", "wacatac", "alexa", "win64", "swrort", "installcore", "azorult", "download", "blacknet rat", "stealer", "softcnapp", "nircmd", "unruy", "patcher", "adload", "dropper", "installpack", "tiggre", "gamehack", "trojanspy", "germany http", "attacker", "static engine", "internet storm", "center", "passive dns", "urls", "scan endpoints", "all search", "otx scoreblue", "url http", "pulse pulses", "http", "related nids" ], "references": [ "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "object.prototype.hasownproperty.call", "hasownproperty.call", "a.default.meta.applestore.id", "applestore.id", "http://decafsmob.this.id", "id.google.com", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://git.io/yBU2rg", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "http://tracking.3061331.corn10wuk.club", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "apps.apple.com/us/app/id$", "t.name", "http://e.id?e.id:e.id.getAttribute", "location.search", "https://dnsorangetel.dn2.n-helix.com", "1080p-torrent.ml", "states.app", "dev-2.ernestatech.com", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "209.85.145.113 [malware]", "cdn.fuckporntube.com", "www.search.app.goo.gl", "apps.apple.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "globalworker1.sol.us", "worker-m-tlcus1.sol.us" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Ireland", "Singapore" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1015, "hostname": 1309, "FileHash-MD5": 466, "FileHash-SHA1": 255, "FileHash-SHA256": 3783, "URL": 4001, "CVE": 9, "email": 3 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "866 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6546d0120a7e479fecffe2b1", "name": "Browser Malware Attack", "description": "Attacking browser to identify researcher.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "modified": "2023-12-04T22:00:43.514000", "created": "2023-11-04T23:13:21.883000", "tags": [ "united", "facebook", "phishtank", "detection list", "ip address", "blacklist", "paypal", "cisco umbrella", "site", "alexa top", "safe site", "million", "malicious url", "malware site", "malicious site", "malware", "name verdict", "falcon sandbox", "reports no", "speci", "efr1", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "et tor", "known tor", "relayrouter", "date", "unknown", "general", "hybrid", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "phishing site", "heur", "cyber threat", "unsafe", "riskware", "phishing", "bank", "service", "artemis", "team", "xtrat", "agent", "xrat", "filetour", "exploit", "conduit", "opencandy", "fusioncore", "orkut", "steam", "genkryptik", "runescape", "presenoker", "ramnit", "msil", "crack", "tofsee", "suppobox", "malicious", "simda", "vawtrak", "hotmail", "generic", "webtoolbar", "hsbc", "maltiverse", "ip summary", "url summary", "summary", "sample", "samples", "count blacklist", "tag count", "downldr", "cleaner", "iframe", "wacatac", "alexa", "win64", "swrort", "installcore", "azorult", "download", "blacknet rat", "stealer", "softcnapp", "nircmd", "unruy", "patcher", "adload", "dropper", "installpack", "tiggre", "gamehack", "trojanspy", "germany http", "attacker", "static engine", "internet storm", "center", "passive dns", "urls", "scan endpoints", "all search", "otx scoreblue", "url http", "pulse pulses", "http", "related nids" ], "references": [ "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "object.prototype.hasownproperty.call", "hasownproperty.call", "a.default.meta.applestore.id", "applestore.id", "http://decafsmob.this.id", "id.google.com", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://git.io/yBU2rg", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "http://tracking.3061331.corn10wuk.club", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "apps.apple.com/us/app/id$", "t.name", "http://e.id?e.id:e.id.getAttribute", "location.search", "https://dnsorangetel.dn2.n-helix.com", "1080p-torrent.ml", "states.app", "dev-2.ernestatech.com", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "209.85.145.113 [malware]", "cdn.fuckporntube.com", "www.search.app.goo.gl", "apps.apple.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "globalworker1.sol.us", "worker-m-tlcus1.sol.us" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Ireland", "Singapore" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1015, "hostname": 1309, "FileHash-MD5": 466, "FileHash-SHA1": 255, "FileHash-SHA256": 3783, "URL": 4001, "CVE": 9, "email": 3 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "866 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "uzzipay.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "uzzipay.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776629283.527641 }