{ "type": "URL", "indicator": "https://www.Digicert.com/rpa0", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.Digicert.com/rpa0", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4144734086, "indicator": "https://www.Digicert.com/rpa0", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6910cafb096eae0dcb39a800", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-09T17:10:19.498000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138a8144a8bf8040a92711", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large", "description": "", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-11T19:12:01.843000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": "6910cafb096eae0dcb39a800", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690e47a694d9bc5c12d83bc0", "name": "LimeRAT | Dark Room Dennis | SpyGlassPrism HealthCare", "description": "Invasive, dark , illegal. Malicious. Will sift through malware Spyware systems. Perpetual remote connections. Employed by Tam Legals Christopher P. Ahmann (Colorado government) to spy on, tamper with , annoy, terrorize, out of financial awards. \n\n spyglass-w_1_.png\n\nSize\n362B (362 bytes)\nMD5\n3c0e6546a44bd9a0f2768df07db5c1c9 Copy MD5 to clipboard\nSHA1\neddf26d1da4a140f2f963b8564c4e99cd6f1a677 Copy SHA1 to clipboard\nSHA256\n83eec393865a35363695d6f2416792d0117f551bb3e41d13b141d70e6b35e02c Copy SHA256 to clipboard", "modified": "2025-12-07T18:01:48.980000", "created": "2025-11-07T19:25:26.827000", "tags": [ "germany asn", "as24940 hetzner", "status connect", "associated", "present nov", "germany", "moved", "present oct", "accept", "germany unknown", "web trebuchet", "ms lucida", "grande lucida", "sans unicode", "lucida sans", "tahoma", "passive dns", "title", "error", "gmbh ccp", "germany germany", "asn as197540", "response ip", "address google", "safe browsing", "present jun", "present may", "present mar", "present jan", "urls", "aaaa", "gmt content", "type", "tags", "tag groups", "countries", "add country", "malware att", "ck it1140", "information", "cisco", "umbrella rank", "automatic", "webgl", "please", "november", "typeof function", "topropertykey", "masonry object", "prism function", "cookies", "source level", "reverse dns", "protocol h2", "security tls", "asn24940", "online gmbh", "general full", "url https", "falkenstein", "community forum", "it url", "youtube videos", "twitch kanal", "discord channel", "spenden", "shop url", "google", "hetzneras", "http", "april", "de summary", "ehingen", "march", "google safe", "browsing", "learn", "issues tab", "value", "masonry", "domainpath name", "cgjerrieegagfw", "label", "input", "suchen nach", "suche", "form", "hash", "name value", "main", "flag", "contacted hosts", "ip address", "process details", "windir", "openurl c", "prefetch2", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "a domains", "ascio", "china unknown", "record value", "apache", "encrypt", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "related tags", "certificate", "hostname add", "url analysis", "files", "domain", "files ip", "address", "asn as24940", "less", "raspberry pi", "ubiquiti", "remote", "hostname", "pulse submit", "status", "entries", "x xss", "sameorigin x", "unicode text", "utf8 text", "click", "strings", "mitre att", "ck matrix", "pattern match", "ascii text", "href", "show process", "network traffic", "general", "hybrid", "local", "path", "monitored target", "spyglass", "spyware.", "pegasus systems", "prism", "colorado leg", "christopher p.ahmann", "ahmann", "christopher", "P", "tam legal", "treece", "alfrey", "muscat", "criminal", "jeffrey reimer", "theft", "remote connect", "schroeder dennis" ], "references": [ "Domain Name: schroederdennis.de | Status: connect", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "root-dns.netcup", "device-*******-*****-****-****-*********.remotewd.com", "ai-sandboxes.com", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "\u2026lie about the severity of injuries and do crap like this.", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "There are absolute losers in the dole illegally benefiting from the suffering others.", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "\u2022 http://demo.ideaboxthemes.com/prism", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com", "3ddruck-celle.de", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "sonarr.app.pineapplegod.co.nz", "http://svc.ghlink.com/svc/Authenticate/Applications", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "http://www.xonitec.com/pornosu/yuotubesex.html", "rowanandbenporn.ssssssssssssshadow.home64.de", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Packed.Rrat-9798963-0", "display_name": "Win.Packed.Rrat-9798963-0", "target": null }, { "id": "Win.Dropper.LimeRAT-9776087-0", "display_name": "Win.Dropper.LimeRAT-9776087-0", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Healthcare", "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1258, "hostname": 2018, "URL": 3033, "FileHash-SHA256": 651, "email": 4, "FileHash-MD5": 62, "FileHash-SHA1": 69, "SSLCertFingerprint": 5 }, "indicator_count": 7100, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "OTX auto populated targeted groups.", "device-*******-*****-****-****-*********.remotewd.com", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "http://www.xonitec.com/pornosu/yuotubesex.html", "Domain Name: schroederdennis.de | Status: connect", "http://svc.ghlink.com/svc/Authenticate/Applications", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "\u2022 http://demo.ideaboxthemes.com/prism", "\u2026lie about the severity of injuries and do crap like this.", "They blatantly steal from citizens , blame foreign entities.", "bpc-old.palantirfoundry.com", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "rowanandbenporn.ssssssssssssshadow.home64.de", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "sonarr.app.pineapplegod.co.nz", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "There are absolute losers in the dole illegally benefiting from the suffering others.", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com", "root-dns.netcup", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "3ddruck-celle.de", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "ai-sandboxes.com", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Win.dropper.limerat-9776087-0", "Zeus", "Alf:spikeaexr.pevpszl", "Ransom:msil/gandcrab", "Win.packed.rrat-9798963-0", "Ransom:win32/gandcrab.h!mtb", "Malware packed", "Other malware" ], "industries": [ "Government", "Healthcare", "Legal", "Bank", "Technology", "Banks", "Entertainment", "Crypto" ], "unique_indicators": 17485 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/Digicert.com", "whois": "http://whois.domaintools.com/Digicert.com", "domain": "Digicert.com", "hostname": "www.Digicert.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6910cafb096eae0dcb39a800", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-09T17:10:19.498000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138a8144a8bf8040a92711", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large", "description": "", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-11T19:12:01.843000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": "6910cafb096eae0dcb39a800", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690e47a694d9bc5c12d83bc0", "name": "LimeRAT | Dark Room Dennis | SpyGlassPrism HealthCare", "description": "Invasive, dark , illegal. Malicious. Will sift through malware Spyware systems. Perpetual remote connections. Employed by Tam Legals Christopher P. Ahmann (Colorado government) to spy on, tamper with , annoy, terrorize, out of financial awards. \n\n spyglass-w_1_.png\n\nSize\n362B (362 bytes)\nMD5\n3c0e6546a44bd9a0f2768df07db5c1c9 Copy MD5 to clipboard\nSHA1\neddf26d1da4a140f2f963b8564c4e99cd6f1a677 Copy SHA1 to clipboard\nSHA256\n83eec393865a35363695d6f2416792d0117f551bb3e41d13b141d70e6b35e02c Copy SHA256 to clipboard", "modified": "2025-12-07T18:01:48.980000", "created": "2025-11-07T19:25:26.827000", "tags": [ "germany asn", "as24940 hetzner", "status connect", "associated", "present nov", "germany", "moved", "present oct", "accept", "germany unknown", "web trebuchet", "ms lucida", "grande lucida", "sans unicode", "lucida sans", "tahoma", "passive dns", "title", "error", "gmbh ccp", "germany germany", "asn as197540", "response ip", "address google", "safe browsing", "present jun", "present may", "present mar", "present jan", "urls", "aaaa", "gmt content", "type", "tags", "tag groups", "countries", "add country", "malware att", "ck it1140", "information", "cisco", "umbrella rank", "automatic", "webgl", "please", "november", "typeof function", "topropertykey", "masonry object", "prism function", "cookies", "source level", "reverse dns", "protocol h2", "security tls", "asn24940", "online gmbh", "general full", "url https", "falkenstein", "community forum", "it url", "youtube videos", "twitch kanal", "discord channel", "spenden", "shop url", "google", "hetzneras", "http", "april", "de summary", "ehingen", "march", "google safe", "browsing", "learn", "issues tab", "value", "masonry", "domainpath name", "cgjerrieegagfw", "label", "input", "suchen nach", "suche", "form", "hash", "name value", "main", "flag", "contacted hosts", "ip address", "process details", "windir", "openurl c", "prefetch2", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "a domains", "ascio", "china unknown", "record value", "apache", "encrypt", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "related tags", "certificate", "hostname add", "url analysis", "files", "domain", "files ip", "address", "asn as24940", "less", "raspberry pi", "ubiquiti", "remote", "hostname", "pulse submit", "status", "entries", "x xss", "sameorigin x", "unicode text", "utf8 text", "click", "strings", "mitre att", "ck matrix", "pattern match", "ascii text", "href", "show process", "network traffic", "general", "hybrid", "local", "path", "monitored target", "spyglass", "spyware.", "pegasus systems", "prism", "colorado leg", "christopher p.ahmann", "ahmann", "christopher", "P", "tam legal", "treece", "alfrey", "muscat", "criminal", "jeffrey reimer", "theft", "remote connect", "schroeder dennis" ], "references": [ "Domain Name: schroederdennis.de | Status: connect", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "root-dns.netcup", "device-*******-*****-****-****-*********.remotewd.com", "ai-sandboxes.com", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "\u2026lie about the severity of injuries and do crap like this.", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "There are absolute losers in the dole illegally benefiting from the suffering others.", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "\u2022 http://demo.ideaboxthemes.com/prism", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com", "3ddruck-celle.de", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "sonarr.app.pineapplegod.co.nz", "http://svc.ghlink.com/svc/Authenticate/Applications", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "http://www.xonitec.com/pornosu/yuotubesex.html", "rowanandbenporn.ssssssssssssshadow.home64.de", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Packed.Rrat-9798963-0", "display_name": "Win.Packed.Rrat-9798963-0", "target": null }, { "id": "Win.Dropper.LimeRAT-9776087-0", "display_name": "Win.Dropper.LimeRAT-9776087-0", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Healthcare", "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1258, "hostname": 2018, "URL": 3033, "FileHash-SHA256": 651, "email": 4, "FileHash-MD5": 62, "FileHash-SHA1": 69, "SSLCertFingerprint": 5 }, "indicator_count": 7100, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.Digicert.com/rpa0", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.Digicert.com/rpa0", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780358897.7056136 }