{ "type": "Domain", "indicator": "flamecomcis.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/flamecomcis.com", "alexa": "http://www.alexa.com/siteinfo/flamecomcis.com", "indicator": "flamecomcis.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3949401756, "indicator": "flamecomcis.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66804428b487338dc16f70a7", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Said client: Jeffrey Reimer", "description": "Brian Sabey & large team continue excessive orbiting target & family members in multiple states. \nUnwarranted, dangerous and illegal. \nLarge attacks have wreaked havoc on medical establishments, targets medical profile, once profitable business, legal manipulation, financial well being. forced poverty, swatting, imfostealer, insurance fraud, intellectual property use, Audi le spying, in person stalking, confrontations, great bodily harm, loss of peace, safety. basic human rights and privacy, phone call redirection, malvertising. In the name of assaulter Jeffrey Scott Reimer", "modified": "2024-11-05T10:00:12.606000", "created": "2024-06-29T17:28:08.283000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "https://hallrender.com/attorney/brian-sabey", "Doing any evil thing for mone does not compute for me.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Traceback- Man with signal jammer/ deauther working around her today.", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "On same block with HalkRender. Has close working relationship. All Palantir legal enities", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "He must be very scary like Peter Theil because every attorney took case then backed off.", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Alerts: cape_detected_threat cape_extracted_content", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "https://otx.alienvault.com/indicator/ip/162.222.213.199" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Pws:win32/qqpass.b!mtb", "Trojanclicker:win32/ellell.a", "Ransomware", "Pegasus for android - mob-s0032", "Trojan:win32/generic", "Trojan:linux/xorddos", "Trojan:win32/zombie.a", "Ransom:win32/tescrypt", "Win.malware.qshell-9875653-0", "Sakula rat", "Win.virus.teslacrypt3-2/custom", "Backdoor:win32/fynloski.a", "Ransom:win32/haperlock.a", "Bayrob", "Trojanspy:win32/nivdort.cw", "Expiro", "Win.malware.unsafe", "Trojan:win32/qshell", "Juko", "Other", "Pws:win32/ymacco.aa50", "Pegasus for ios - s0289" ], "industries": [ "Technology", "Telecommunications", "Legal", "Government", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66804428b487338dc16f70a7", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Said client: Jeffrey Reimer", "description": "Brian Sabey & large team continue excessive orbiting target & family members in multiple states. \nUnwarranted, dangerous and illegal. \nLarge attacks have wreaked havoc on medical establishments, targets medical profile, once profitable business, legal manipulation, financial well being. forced poverty, swatting, imfostealer, insurance fraud, intellectual property use, Audi le spying, in person stalking, confrontations, great bodily harm, loss of peace, safety. basic human rights and privacy, phone call redirection, malvertising. In the name of assaulter Jeffrey Scott Reimer", "modified": "2024-11-05T10:00:12.606000", "created": "2024-06-29T17:28:08.283000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "flamecomcis.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "flamecomcis.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776649143.340411 }