{ "type": "URL", "indicator": "https://dev-rds-eja.educacaosesi.com.br", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://dev-rds-eja.educacaosesi.com.br", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4181961625, "indicator": "https://dev-rds-eja.educacaosesi.com.br", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-04-20T21:01:07.869000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9 }, "indicator_count": 14134, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.datafoundry.com/category/news/press-releases/", "https://webmail.police.govmm.org/owa/", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "http://appleid.app", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "https://www.fidelity.com/ https://www.fidelity.com/", "Christopher P \u2018Buzz\u2019 Ahmann", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "https://207-207-25-201.fwd.datafoundry.com/", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "Domains Contacted api.nuget.org", "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "https://www.datafoundry.com/data-center-contamination-control/", "Ronda Cordova", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "I bring up the personal nature of the crime because a delete service has been used", "https://rdweb.datafoundry.com/", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "This is a serious crime. I\u2019m certain God WILL pay them.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "Victim silenced. Struck by Car Driven by male police let walk", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Updated | What\u2019s left after theft", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "Some may may find this content is very disturbing and offensive", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://212.33.237.86/images/1/report.php", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "Melvin Sabey", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Quasi Government Case", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "Unknown Persons impersonating Private Investigators (plural)", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "Mark Brian Sabey", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "https://www.anyxxxtube.net/search-porn/", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "Reimer was a PT. Unknown whereabouts , name or job description", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "http://watchhers.net/index.php", "https://bhive.nectar.social/rKvoMY", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "Denver Police Department Major Crimes closed investigation" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Eternalrocks", "Trojan:win32/miner.ka!mtb", "Dnstrojan", "Trojandropper:win32/qhost", "Trojan:win32/conbea!rfn", "Trojan:msil/ursu.kp", "Alf:heraklezeval:trojan:win32/eqtonex.f", "Trojan:win32/ausiv!rfn", "Alf:heraklezeval:trojan:msil/gravityrat", "Win64:trojan-gen", "Tofsee", "Porn revenge", "Win32:trojanx-gen\\ [trj]", ": alf:trojan:msil/azorult.ac!", "Trojan:bat/musecador", "Tons of malware", "Trojan:pdf/phish.rr!mtb", "Alf:trojan:win32/cryptwrapper.rt!mtb" ], "industries": [ "Government", "Finance", "Insurance" ], "unique_indicators": 28193 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/educacaosesi.com.br", "whois": "http://whois.domaintools.com/educacaosesi.com.br", "domain": "educacaosesi.com.br", "hostname": "dev-rds-eja.educacaosesi.com.br" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-04-20T21:01:07.869000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9 }, "indicator_count": 14134, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://dev-rds-eja.educacaosesi.com.br", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://dev-rds-eja.educacaosesi.com.br", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780381097.6886728 }