{ "type": "URL", "indicator": "https://schedules.competitionsuite.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://schedules.competitionsuite.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3989047403, "indicator": "https://schedules.competitionsuite.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a0fed56841e1b009c303267", "name": "Credit: scoreblue [Brian Sabey Orbiting Tsara Brashears and associates] clone", "description": "", "modified": "2026-05-22T05:44:54.655000", "created": "2026-05-22T05:44:54.655000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": "66804428b487338dc16f70a7", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69efc3a63f5aa5107bb41dbf", "name": "[clone-Jeffrey Reimer DPT Tsara Brashears Court Records | ]by scoreblue", "description": "", "modified": "2026-04-27T23:20:58.970000", "created": "2026-04-27T20:14:30.720000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": "66d490668683aec2631cfa20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66804428b487338dc16f70a7", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Said client: Jeffrey Reimer", "description": "Brian Sabey & large team continue excessive orbiting target & family members in multiple states. \nUnwarranted, dangerous and illegal. \nLarge attacks have wreaked havoc on medical establishments, targets medical profile, once profitable business, legal manipulation, financial well being. forced poverty, swatting, imfostealer, insurance fraud, intellectual property use, Audi le spying, in person stalking, confrontations, great bodily harm, loss of peace, safety. basic human rights and privacy, phone call redirection, malvertising. In the name of assaulter Jeffrey Scott Reimer", "modified": "2024-11-05T10:00:12.606000", "created": "2024-06-29T17:28:08.283000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d490668683aec2631cfa20", "name": "Jeffrey Reimer DPT Tsara Brashears Court Records | Trellis.Law", "description": "Phishing expedition: Malicious bait. Threat actor/s attempting to hack whoever can see and clicks on link. The URl is parked, is malicious, attempts infiltrate device.", "modified": "2024-11-05T00:02:43.336000", "created": "2024-09-01T16:03:50.411000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "https://www.paidhmars.com/", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "Alerts: cape_detected_threat cape_extracted_content", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "Brashears documented on corr record she wanted to proceed with case", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "False: Never served. Had several PI's and background checks", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "https://hallrender.com/attorney/brian-sabey", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Parking Crew" ], "malware_families": [ "Trojan:win32/zombie.a", "Pegasus for android - mob-s0032", "Bayrob", "Pegasus for ios - s0289", "Trojandownloader:win32/upatre.a", "Pws:win32/qqpass.b!mtb", "Trojan:linux/xorddos", "Trojanclicker:win32/ellell.a", "Trojanspy:win32/nivdort.cw", "Ransom:win32/haperlock.a", "Ransomware", "Trojan:win32/zbot.sibg3!mtb", "Pws:win32/ymacco.aa50", "Ransom:win32/tescrypt", "P2p zeus - s0016", "Backdoor:win32/fynloski.a", "Win.virus.teslacrypt3-2/custom", "Sakula rat" ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "unique_indicators": 16281 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/competitionsuite.com", "whois": "http://whois.domaintools.com/competitionsuite.com", "domain": "competitionsuite.com", "hostname": "schedules.competitionsuite.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a0fed56841e1b009c303267", "name": "Credit: scoreblue [Brian Sabey Orbiting Tsara Brashears and associates] clone", "description": "", "modified": "2026-05-22T05:44:54.655000", "created": "2026-05-22T05:44:54.655000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": "66804428b487338dc16f70a7", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69efc3a63f5aa5107bb41dbf", "name": "[clone-Jeffrey Reimer DPT Tsara Brashears Court Records | ]by scoreblue", "description": "", "modified": "2026-04-27T23:20:58.970000", "created": "2026-04-27T20:14:30.720000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": "66d490668683aec2631cfa20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66804428b487338dc16f70a7", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Said client: Jeffrey Reimer", "description": "Brian Sabey & large team continue excessive orbiting target & family members in multiple states. \nUnwarranted, dangerous and illegal. \nLarge attacks have wreaked havoc on medical establishments, targets medical profile, once profitable business, legal manipulation, financial well being. forced poverty, swatting, imfostealer, insurance fraud, intellectual property use, Audi le spying, in person stalking, confrontations, great bodily harm, loss of peace, safety. basic human rights and privacy, phone call redirection, malvertising. In the name of assaulter Jeffrey Scott Reimer", "modified": "2024-11-05T10:00:12.606000", "created": "2024-06-29T17:28:08.283000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d490668683aec2631cfa20", "name": "Jeffrey Reimer DPT Tsara Brashears Court Records | Trellis.Law", "description": "Phishing expedition: Malicious bait. Threat actor/s attempting to hack whoever can see and clicks on link. The URl is parked, is malicious, attempts infiltrate device.", "modified": "2024-11-05T00:02:43.336000", "created": "2024-09-01T16:03:50.411000", "tags": [ "reimer-jeffrey-v-brashears-tsara", "2017cv030026 suppressed", "case 2017cv030026 suppressed", "docket", "legal case", "legal", "litigation", "court cases", "state court docket", "robert r", "lung", "county", "case", "money", "ben l", "leutwyler iii", "reimer", "brashears", "douglas county", "tips", "district", "date", "judge", "shane", "bank", "contact", "service", "brashears accepts", "jeffrey scott", "reimer dpt", "reimer paid", "sa victim", "settlement", "reimer-jeffrey-paid-tsara-brahears-settlement", "reimer-jeffrey-claim-dismissed", "brashears-tsara-claims-upheld", "reverse dns", "general full", "protocol h2", "security tls", "resource", "united", "hash", "name value", "security", "main", "facebook", "brashears-tsara-v-reimer-jeffrey", "so false", "as134548 dxtl", "kwan o", "hong kong", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "export graph", "historical ssl", "referrer", "gameprofitshack", "webstudio", "smartdata", "alloymedia", "industries", "theakkas", "korplug", "default", "module load", "t1129", "show", "search", "regbinary", "malware beacon", "upatre", "suspicious", "trojan", "copy", "dock", "downloader", "loader", "write", "malware", "av detections", "ids detections", "yara detections", "alerts", "related pulses", "dashboard", "browse scan", "endpoints all", "showing", "p2p zeus", "september", "popper", "cookies", "x function", "hsp boolean", "oribili boolean", "hstcran", "hsusertoken", "domainpath name", "ns nxdomain", "parked", "tsara won", "brashears prevails", "reimer dismissal", "dangerous data collection", "get device", "parked uri" ], "references": [ "Scam Aggregators: https://trellis.law/case/8035/2017cv030026-suppressed/reimer-jeffrey-v-brashears-tsara [parked here: ctjsz.com]", "http://www.qq664.com/seximanhua/22128.html [looks legit to me]", "sex2e.com | http://qq664.com/seximanhua/22128.html [trellis.law]", "https://prnbae.com/191693/at-37-ellie-discovers-the-unique-sensations-of-double-vaginal-sex/ [trellis.law]", "http://www.philippinesredcat.com/girls-for-sex-in-manila/ [trellis.law]", "http://us.1.powerfront.com/thehealthylivingshow/scripts/redir.asp?link=https://www.sexbestgals.info/cougar-porn/ [trellis.law]", "https://help.competitionsuite.com/article/76-using-the-judge-app-tablets", "https://www.paidhmars.com/", "https://urlscan.io/result/e4ed8a1d-1b23-46cd-a237-a2ad4e974fc3/content/", "False: This case was filed in Douglas County Superior Courts with Jeffrey K Holmes presiding. | Who is he?", "False: Never served. Had several PI's and background checks", "Jeffrey Scott Reimer DPT was allegedly arrested 02/14/2022 | Very unreliable self proclaimed PI's (multiple)", "Brian Sabey begged victim to accept tiny settlement. Contingency, 'Brashears may use settlement to find hacker.'", "Judge Shay Whittaker dismissed Reimers 'malicious' prosecution claom", "Reimers case V Brashears in 2017 after Denver Police Major Crimes located Reimer", "Brashears documented on corr record she wanted to proceed with case", "Brian Sabey Speaking for Jeffrey Scott Reimer DPT refused further court proceedings", "Brian Sabey offered Brashears a settlement. Begged her to accept it.", "Case: Defamation of character based on truthful reviews left on HealthGrades.", "A series of reviews detailing Jeffrey Reimer DPT egregious behavior proved not left by Brashears except 2 with comments -4", "Brashears Review: 'He would benefit from more training' [Very considerate considering the complimentary spinal cord injuries 'plural']", "Health Grades erased 20+ positive reviews that originated from Reimers email address.", "Most of not all positive Jeffrey Reimer DPT reviews are false. Reimer wasn't practicing when 'amazing' trat,ent alleged", "Brian Sabey. Esq filed motion to dismiss after judge dismissed Reimers meritlesscase", "Brian Sabey would be most foolish after it was determined Brashears was 100% disabled. This was cause by Jeffrey Scott Reimer DPT", "Brashears would gladly go to court as stated in court documents to then judge who wished to be briefed by Brashears. Thwarted by Sabey.", "Brian Sabey wanted to appear to win. Sandy demanded Brashears remove every patients negative review about Jeffrey Reimer DPT", "Brian Sabey had cashiers check delivered to Brashears in person.", "Victim is willing to have her attorney post entire court proceedings online , on YouTube and more", "There is NO other physical therapist with as many reviews as Jeffrey Reimer DPT, even non offenders. Reimers clientele is largely non-english speaking.", "Reimer often criticized non English speakers, large women and short Hispanic men according to witness.", "He also spoke frequently about Brashears infamously 'real' large bosom and figure. He decided to touch, grab, grope, assault,injure, beg for more", "Jeffrey Scott Reimer PT , DPT. assaulters defense: 'I had to be of the top/front of Brashears, She consented!'", "False: Brashears didn't expect this coming. Jeffrey Reimer DPT suddenly jumped on top of Brashears and tried to start a family. He didn't ask.", "Unless tampered with, court records will show Brashears dropped as a patient to be told she'd face legal consequences if she did.", "Survivor was told an investigation would begin, she'd be safe among other careless things her MD advised", "Brashears would LOVE for the true court proceedings to be read. She feels they were hacked away. DougCo was unable to 'print' records 'glitch'", "Did I mention she prevailed, won, got a check? Tsara Lynn Brashears survivor; won her counter claim. Weak Reimer claim burned like a dying moth.", "Trellis: 3.223.115.185 In cloud provider range: provider=AWS\t IPv4 34.240.160.162 In cloud provider range: provider=AWS", "Trellis: http://blockpage.bt.com/pcstaticpage/blocked.html?list=BT | https://search.app.goo.gl/?ofl", "Trellis: www.youtube.com/watch?v=GyuMozsVyYs \t\u00bb Survivors video references assault. Does not name or depict Reimers likeness.", "Trellis: Hostname blockpage.bt.com | hdredirect-lb7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com | itunes.apple.com | search.app.goo.gl | www.youtube.com", "Trellis: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "IDS Detections: Downloader (P2P Zeus dropper UA) Common Upatre Header Structure 2 Upatre Retrieving encoded payload (Common Header Struct)", "IDS Detections: Suspicious User-Agent containing Loader Observed TLS Handshake Failure", "Trellis: High Priority Alerts: network_icmp modifies_proxy_wpad packer_polymorphic", "Trellis:TrojanDownloader:Win32/Upatre.A | Yara Detections Upack_all_versions", "Trellis: secure04-appleid.com | http://secure04-appleid.com | cpcalendars.secure04-appleid.com" ], "public": 1, "adversary": "Parking Crew", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zbot.SIBG3!MTB", "display_name": "Trojan:Win32/Zbot.SIBG3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG3!MTB" }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "P2P ZeuS - S0016", "display_name": "P2P ZeuS - S0016", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Research", "Telecommunications", "Technology", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 266, "FileHash-SHA256": 981, "domain": 480, "hostname": 684, "email": 1, "URL": 2102 }, "indicator_count": 4783, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://schedules.competitionsuite.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://schedules.competitionsuite.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780265996.1926374 }