{ "type": "URL", "indicator": "https://secure.mooseintl.org/MooseRewardsQuery/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://secure.mooseintl.org/MooseRewardsQuery/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3880054710, "indicator": "https://secure.mooseintl.org/MooseRewardsQuery/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69a3c685d4b7c139ffe62930", "name": "Clone Pulse Reference", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T04:54:29.384000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6906bd99cadbd4140014c6af", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 454, "hostname": 1404, "URL": 3557, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1, "CVE": 1 }, "indicator_count": 6754, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907cc66855b7dfe1306b0d8", "name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting", "description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-11-02T21:25:58.814000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7521, "hostname": 1775, "domain": 689, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13356, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e9b142a8508d5257d1662", "name": "Criminal Defender Chris Ahmann responsible for continued Apple hackathons removing IoC\u2019 l Targeting Tsara Brashears evidence of crime . Hit Man", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-02T07:53:56.560000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6907cc66855b7dfe1306b0d8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7437, "hostname": 1765, "domain": 686, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13259, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906bd99cadbd4140014c6af", "name": "Espionage - Gravity RAT + | Legal entities are State owned. Attacking severely injured PT\u2019s SA victim.", "description": "Fastly CDN for Palantir (Verizon) unless updated. Very malicious IoC\u2019s found evaluating IoC\u2019 from Christopher Ahmann - TAM Legal link.\n- Made contact with victim several times.\n- Illegal contact made with attorneys considering representing Tsara. \n- https://unicef.se/assets/apple - link related to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage.\n\nAhmann is named as special counsel but he , like Brian Sabey are \u2018ONLY\u2019 cyber attacking Tsara Brashears.\n\n- protecting Jeffrey Reimer DPT, multiple doctors, Concentra, blocked and denied care , hired a hitman/men and it would have. Even cheaper to pay her for the injuries she never sought compensation for due to aggressive attacks and threats.", "modified": "2025-12-02T01:05:30.331000", "created": "2025-11-02T02:10:33.546000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 449, "hostname": 1403, "URL": 3552, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1 }, "indicator_count": 6742, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d74d0266b4805d1dfa9d2", "name": "Top Tier Spyware | There\u2019s a reason billionaires retreated to their bunkers. This is terrible.", "description": "Nothing seems real.", "modified": "2025-08-19T22:03:32.365000", "created": "2025-07-20T22:59:28.332000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 1062, "domain": 1521, "hostname": 3005, "URL": 11045 }, "indicator_count": 16639, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Traceback- Man with signal jammer/ deauther working around her today.", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "Doing any evil thing for mone does not compute for me.", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "External Apple Connection: Notepad.pw", "http://www.mohurd.gov.cn.lxcvc.com/", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Fastly Error and Palantir blocked several times over the last few months.", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "On same block with HalkRender. Has close working relationship. All Palantir legal enities", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "sipphone.com", "config.uca.cloud.unity3d.com", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://unicef.se/assets/apple", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "TAM Legal Christopher P. Ahmann Chief Terrorist" ], "malware_families": [ "Worn:win32/autorun.xxy!bit", "Custom malware", "Win.trojan.vundo-7170412-0", "Trojan:win32/zombie.a", "Other", "Trojan:win32/neconyd.a", "Expiro", "Pws:win32/qqpass.fc", "Multiple malware\u2019s , trojans and rats", "Win.malware.unsafe", "#lowfi:suspicioussectionname", "Win.malware.004bf-6866449-0", "Juko", "Trojan:win32/generic", "Trojan:win32/qshell", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Win.malware.qshell-9875653-0", "Win.malware.urelas-9863836-0" ], "industries": [ "Legal", "Telecommunications", "Government", "Healthcare", "Technology" ], "unique_indicators": 52209 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mooseintl.org", "whois": "http://whois.domaintools.com/mooseintl.org", "domain": "mooseintl.org", "hostname": "secure.mooseintl.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69a3c685d4b7c139ffe62930", "name": "Clone Pulse Reference", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T04:54:29.384000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6906bd99cadbd4140014c6af", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 454, "hostname": 1404, "URL": 3557, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1, "CVE": 1 }, "indicator_count": 6754, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907cc66855b7dfe1306b0d8", "name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting", "description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-11-02T21:25:58.814000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7521, "hostname": 1775, "domain": 689, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13356, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e9b142a8508d5257d1662", "name": "Criminal Defender Chris Ahmann responsible for continued Apple hackathons removing IoC\u2019 l Targeting Tsara Brashears evidence of crime . Hit Man", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-02T07:53:56.560000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6907cc66855b7dfe1306b0d8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7437, "hostname": 1765, "domain": 686, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13259, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906bd99cadbd4140014c6af", "name": "Espionage - Gravity RAT + | Legal entities are State owned. Attacking severely injured PT\u2019s SA victim.", "description": "Fastly CDN for Palantir (Verizon) unless updated. Very malicious IoC\u2019s found evaluating IoC\u2019 from Christopher Ahmann - TAM Legal link.\n- Made contact with victim several times.\n- Illegal contact made with attorneys considering representing Tsara. \n- https://unicef.se/assets/apple - link related to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage.\n\nAhmann is named as special counsel but he , like Brian Sabey are \u2018ONLY\u2019 cyber attacking Tsara Brashears.\n\n- protecting Jeffrey Reimer DPT, multiple doctors, Concentra, blocked and denied care , hired a hitman/men and it would have. Even cheaper to pay her for the injuries she never sought compensation for due to aggressive attacks and threats.", "modified": "2025-12-02T01:05:30.331000", "created": "2025-11-02T02:10:33.546000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 449, "hostname": 1403, "URL": 3552, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1 }, "indicator_count": 6742, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d74d0266b4805d1dfa9d2", "name": "Top Tier Spyware | There\u2019s a reason billionaires retreated to their bunkers. This is terrible.", "description": "Nothing seems real.", "modified": "2025-08-19T22:03:32.365000", "created": "2025-07-20T22:59:28.332000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 1062, "domain": 1521, "hostname": 3005, "URL": 11045 }, "indicator_count": 16639, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://secure.mooseintl.org/MooseRewardsQuery/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://secure.mooseintl.org/MooseRewardsQuery/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776591817.7111554 }