{ "type": "URL", "indicator": "https://docs.lingvanex.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://docs.lingvanex.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3923375954, "indicator": "https://docs.lingvanex.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "66d490668683aec2631cfa20", "name": "Jeffrey Reimer DPT Tsara Brashears Court Records | Trellis.Law", "description": "Phishing expedition: Malicious bait. Threat actor/s attempting to hack whoever can see and clicks on link. The URl is parked, is malicious, attempts infiltrate device.", "modified": "2024-11-05T00:02:43.336000", "created": "2024-09-01T16:03:50.411000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669e42fea462f0c8f8db32a1", "name": "Worm:Win32/Ganelp.A - Malicious IP: 148.163.152.21", "description": "Malicious IP found in disastrous attack against a mid level media marketing firm that the healthcare, travel, corporate event industry. \nEmployee phones are 'zombies' some laptops likely impacted by the Crowd Strike issue, (blue screen). Excessive tracking, monitoring, active botnets, power outage, and more. Research of IP and other IoC's found. Unfortunately, many of the clients are also sucked into issue. It appears that the issue has persisted for several years. The outage just made us work every angle. The attack goes beyond the CS 'update' outage, as the seemingly well cyber manged firm was under a very targeted, ongoing cyber attack that has kept company from rebounding. Red Team behavior seen.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T11:31:10.391000", "tags": [ "historical ssl", "referrer", "fancy bear", "scan endpoints", "all search", "otx scoreblue", "ipv4", "pulse submit", "url analysis", "passive dns", "urls", "files", "reverse dns", "open", "status", "name servers", "creation date", "search", "proofpoint", "expiration date", "div div", "date", "accept", "next", "united", "cname", "asnone united", "a nxdomain", "domain", "united kingdom", "servers", "showing", "nxdomain", "dname", "whitelisted", "aaaa", "script urls", "costa rica", "script domains", "msie", "chrome", "unknown", "body", "gmt content", "all scoreblue", "pulse pulses", "entries", "as8987 amazon", "as20940", "hostname", "gartner", "crowdstrike", "business value", "magic quadrant", "customer", "realized", "assessment", "economic impact", "complete", "february", "utc na", "ver2", "msclkidn", "html info", "meta tags", "mobileoptimized", "adobe dynamic", "tag management", "utc bing", "cobalt strike", "communications", "android device", "neutral", "win32 exe", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "sections", "rticon neutral", "ico rtgroupicon", "xml rtmanifest", "overlay", "threat roundup", "pandas", "attacks against", "southeast", "wannacry kill", "switch dns", "query", "high level", "hackers", "unknown win", "core", "ascii text", "sha256", "sha1", "size", "pattern match", "suricata stream", "command decode", "utf8 text", "mitre att", "path", "hybrid", "starfield", "meta", "general", "target", "local", "click", "strings", "trident", "legacy", "main", "contact", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "t1055 system", "pe file", "t1497 query", "may sleep", "allocate rwx", "get file", "access", "windows event", "allocate", "link function", "windows link", "contains pdb", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls tcp", "hashes", "user", "file system", "written c", "samplepath", "files dropped", "userprofile", "registry keys", "registry", "set registrya", "conhost", "comspec", "created", "temp", "windows", "displayname", "process", "commands", "signals mutexes", "mutexes", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "ca1 odigicert", "inc validity", "subject public", "certificate", "whois lookup", "netrange", "nethandle", "net148", "net1480000", "as16509", "as22843", "as13916", "form", "server", "registrar abuse", "email", "request email", "verisign", "icann whois", "tech", "first", "project skynet", "cyber army", "dynamicloader", "high", "delete c", "show", "username", "medium", "default", "yara detections", "worm", "copy", "write", "duptwux", "malware", "x82xd4", "kx81xdbx0f", "x86xd3", "xa1xf1", "xe8xc2x14", "wx99xcdx11", "regsetvalueexa", "regbinary", "xe8xc6x13", "hx88x9ax1e", "stream", "win32", "persistence", "execution", "av detections", "ids detections", "alerts", "analysis date", "file score", "ftp username", "contacted", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "severity", "null", "refresh", "span", "error", "tools", "look", "verify", "restart", "robtex", "apple ios", "apple", "domains", "co number", "virtual mobile", "logistics", "cyber defense", "twitter", "read c", "artemis", "intel", "steals", "virustotal", "python", "panda", "falcon sandbox", "analysis", "hybrid analysis", "submission name", "av detection", "multi scan", "highest", "ability", "execute", "upgrade", "intelligence", "learn", "reports", "logo analysis", "size17kib type", "command", "found", "layer protocol", "osi application", "ip address", "t1105 ingress", "tool transfer", "problems", "threat network", "infrastructure", "domains part", "domain tracker", "roundup", "new problems", "startpage", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "ob0007 system", "e1082 file", "e1083 impact", "data manipulation", "remote system", "discovery", "t1059 accept", "modules t1129", "enumerate", "as2914 ntt", "access denied", "as16625 akamai", "germany unknown", "csccorpdomains", "as31109", "invalid url", "mirai", "port", "destination", "bad login", "suspicious path", "nids", "tcp syn", "root account", "cve20185723", "as8068", "please", "x msedge", "embeddedwb", "windows nt", "tofsee", "push", "as54113", "as396982 google", "as31898 oracle", "moved", "encrypt" ], "references": [ "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "http://images.contact.acams.org/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Trojan.Agent.FRYX", "display_name": "Trojan.Agent.FRYX", "target": null }, { "id": "Win32:AceCrypter-B [Cryp]", "display_name": "Win32:AceCrypter-B [Cryp]", "target": null }, { "id": "Mal_Tofsee", "display_name": "Mal_Tofsee", "target": null }, { "id": "Ransom.StopcryptPMF.", "display_name": "Ransom.StopcryptPMF.", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Worm:Win32/Ganelp.A", "display_name": "Worm:Win32/Ganelp.A", "target": "/malware/Worm:Win32/Ganelp.A" }, { "id": "trojan.shellrunner/emailworm", "display_name": "trojan.shellrunner/emailworm", "target": null }, { "id": "trojan.redcap/python", "display_name": "trojan.redcap/python", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 890, "FileHash-SHA1": 853, "FileHash-SHA256": 7215, "domain": 2771, "hostname": 5544, "URL": 13393, "email": 12, "SSLCertFingerprint": 15, "CIDR": 1, "CVE": 3 }, "indicator_count": 30697, "is_author": false, "is_subscribing": null, "subscriber_count": 237, "modified_text": "606 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "https://www.paidhmars.com/", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://images.contact.acams.org/", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "False: Never served. Had several PI's and background checks", "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Brian Sabey had cashiers check delivered to Brashears in person.", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "Brashears documented on corr record she wanted to proceed with case", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "MyChart Phishing Scams", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Parking Crew" ], "malware_families": [ "Trojan:win32/zbot.sibg3!mtb", "P2p zeus - s0016", "Backdoor:win32/tofsee.t", "Worm:win32/ganelp.a", "Ransom.stopcryptpmf.", "Mirai", "Trojan.shellrunner/emailworm", "Win32:acecrypter-b [cryp]", "Win64-trojan/pakes.exp", "Nids", "Win64:ransomx-gen", "Trojandownloader:win32/upatre.a", "Trojan.agent.fryx", "Mal_tofsee", "Trojan.redcap/python" ], "industries": [ "Healthcare", "Telecommunications", "Research", "Civilians", "Technology" ], "unique_indicators": 45480 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/lingvanex.com", "whois": "http://whois.domaintools.com/lingvanex.com", "domain": "lingvanex.com", "hostname": "docs.lingvanex.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "66d490668683aec2631cfa20", "name": "Jeffrey Reimer DPT Tsara Brashears Court Records | Trellis.Law", "description": "Phishing expedition: Malicious bait. Threat actor/s attempting to hack whoever can see and clicks on link. The URl is parked, is malicious, attempts infiltrate device.", "modified": "2024-11-05T00:02:43.336000", "created": "2024-09-01T16:03:50.411000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669e42fea462f0c8f8db32a1", "name": "Worm:Win32/Ganelp.A - Malicious IP: 148.163.152.21", "description": "Malicious IP found in disastrous attack against a mid level media marketing firm that the healthcare, travel, corporate event industry. \nEmployee phones are 'zombies' some laptops likely impacted by the Crowd Strike issue, (blue screen). Excessive tracking, monitoring, active botnets, power outage, and more. Research of IP and other IoC's found. Unfortunately, many of the clients are also sucked into issue. It appears that the issue has persisted for several years. The outage just made us work every angle. The attack goes beyond the CS 'update' outage, as the seemingly well cyber manged firm was under a very targeted, ongoing cyber attack that has kept company from rebounding. Red Team behavior seen.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T11:31:10.391000", "tags": [ "historical ssl", "referrer", "fancy bear", "scan endpoints", "all search", "otx scoreblue", "ipv4", "pulse submit", "url analysis", "passive dns", "urls", "files", "reverse dns", "open", "status", "name servers", "creation date", "search", "proofpoint", "expiration date", "div div", "date", "accept", "next", "united", "cname", "asnone united", "a nxdomain", "domain", "united kingdom", "servers", "showing", "nxdomain", "dname", "whitelisted", "aaaa", "script urls", "costa rica", "script domains", "msie", "chrome", "unknown", "body", "gmt content", "all scoreblue", "pulse pulses", "entries", "as8987 amazon", "as20940", "hostname", "gartner", "crowdstrike", "business value", "magic quadrant", "customer", "realized", "assessment", "economic impact", "complete", "february", "utc na", "ver2", "msclkidn", "html info", "meta tags", "mobileoptimized", "adobe dynamic", "tag management", "utc bing", "cobalt strike", "communications", "android device", "neutral", "win32 exe", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "sections", "rticon neutral", "ico rtgroupicon", "xml rtmanifest", "overlay", "threat roundup", "pandas", "attacks against", "southeast", "wannacry kill", "switch dns", "query", "high level", "hackers", "unknown win", "core", "ascii text", "sha256", "sha1", "size", "pattern match", "suricata stream", "command decode", "utf8 text", "mitre att", "path", "hybrid", "starfield", "meta", "general", "target", "local", "click", "strings", "trident", "legacy", "main", "contact", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "t1055 system", "pe file", "t1497 query", "may sleep", "allocate rwx", "get file", "access", "windows event", "allocate", "link function", "windows link", "contains pdb", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls tcp", "hashes", "user", "file system", "written c", "samplepath", "files dropped", "userprofile", "registry keys", "registry", "set registrya", "conhost", "comspec", "created", "temp", "windows", "displayname", "process", "commands", "signals mutexes", "mutexes", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "ca1 odigicert", "inc validity", "subject public", "certificate", "whois lookup", "netrange", "nethandle", "net148", "net1480000", "as16509", "as22843", "as13916", "form", "server", "registrar abuse", "email", "request email", "verisign", "icann whois", "tech", "first", "project skynet", "cyber army", "dynamicloader", "high", "delete c", "show", "username", "medium", "default", "yara detections", "worm", "copy", "write", "duptwux", "malware", "x82xd4", "kx81xdbx0f", "x86xd3", "xa1xf1", "xe8xc2x14", "wx99xcdx11", "regsetvalueexa", "regbinary", "xe8xc6x13", "hx88x9ax1e", "stream", "win32", "persistence", "execution", "av detections", "ids detections", "alerts", "analysis date", "file score", "ftp username", "contacted", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "severity", "null", "refresh", "span", "error", "tools", "look", "verify", "restart", "robtex", "apple ios", "apple", "domains", "co number", "virtual mobile", "logistics", "cyber defense", "twitter", "read c", "artemis", "intel", "steals", "virustotal", "python", "panda", "falcon sandbox", "analysis", "hybrid analysis", "submission name", "av detection", "multi scan", "highest", "ability", "execute", "upgrade", "intelligence", "learn", "reports", "logo analysis", "size17kib type", "command", "found", "layer protocol", "osi application", "ip address", "t1105 ingress", "tool transfer", "problems", "threat network", "infrastructure", "domains part", "domain tracker", "roundup", "new problems", "startpage", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "ob0007 system", "e1082 file", "e1083 impact", "data manipulation", "remote system", "discovery", "t1059 accept", "modules t1129", "enumerate", "as2914 ntt", "access denied", "as16625 akamai", "germany unknown", "csccorpdomains", "as31109", "invalid url", "mirai", "port", "destination", "bad login", "suspicious path", "nids", "tcp syn", "root account", "cve20185723", "as8068", "please", "x msedge", "embeddedwb", "windows nt", "tofsee", "push", "as54113", "as396982 google", "as31898 oracle", "moved", "encrypt" ], "references": [ "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "http://images.contact.acams.org/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Trojan.Agent.FRYX", "display_name": "Trojan.Agent.FRYX", "target": null }, { "id": "Win32:AceCrypter-B [Cryp]", "display_name": "Win32:AceCrypter-B [Cryp]", "target": null }, { "id": "Mal_Tofsee", "display_name": "Mal_Tofsee", "target": null }, { "id": "Ransom.StopcryptPMF.", "display_name": "Ransom.StopcryptPMF.", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Worm:Win32/Ganelp.A", "display_name": "Worm:Win32/Ganelp.A", "target": "/malware/Worm:Win32/Ganelp.A" }, { "id": "trojan.shellrunner/emailworm", "display_name": "trojan.shellrunner/emailworm", "target": null }, { "id": "trojan.redcap/python", "display_name": "trojan.redcap/python", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 890, "FileHash-SHA1": 853, "FileHash-SHA256": 7215, "domain": 2771, "hostname": 5544, "URL": 13393, "email": 12, "SSLCertFingerprint": 15, "CIDR": 1, "CVE": 3 }, "indicator_count": 30697, "is_author": false, "is_subscribing": null, "subscriber_count": 237, "modified_text": "606 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://docs.lingvanex.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://docs.lingvanex.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776629392.0559897 }