{ "type": "Domain", "indicator": "srv64.de", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/srv64.de", "alexa": "http://www.alexa.com/siteinfo/srv64.de", "indicator": "srv64.de", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4146777910, "indicator": "srv64.de", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692e1b4122a419384f1add7f", "name": "Cutwail Trojan DownLoader | Driveby compromises | Redirect", "description": "Cutwail Trojan DownLoader | Driveby comprises | Malicious Redirects.\n\nSuspicious redirects from Google homepage to \u2018Doodle\u2019s\nHeavy , ongoing cyber attack. Affects, iOS, Android, Cellular networks (global)\n\nI\u2019m hoping OTX will fully pulse. Indicators will be pulsed fully relying on OTX auto\npulse alone. No references or input from me.", "modified": "2025-12-31T22:02:44.679000", "created": "2025-12-01T22:48:33.510000", "tags": [ "filehashmd5", "filehashsha256", "sha256", "filehashsha1", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "dynamicloader", "medium", "show", "entries", "dynamic", "pe section", "filehash", "md5 add", "pulse pulses", "av detections", "copy", "write", "flag", "misc activity", "et info", "cloudflare dns", "over https", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "google homepage", "html", "binary file", "ck id", "show technique", "mitre att", "ck matrix", "matched", "redirect", "t1189", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "ck techniques", "alert", "potential ip", "general", "click", "united", "analysis tip", "analysis", "tor analysis", "date", "c pe", "data upload", "extraction", "iocs", "manually add", "network traffic", "detected", "t1566", "submitted url", "t1204" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 95, "FileHash-SHA1": 95, "FileHash-SHA256": 183, "hostname": 227, "domain": 83, "URL": 575 }, "indicator_count": 1258, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690e47a694d9bc5c12d83bc0", "name": "LimeRAT | Dark Room Dennis | SpyGlassPrism HealthCare", "description": "Invasive, dark , illegal. Malicious. Will sift through malware Spyware systems. Perpetual remote connections. Employed by Tam Legals Christopher P. Ahmann (Colorado government) to spy on, tamper with , annoy, terrorize, out of financial awards. \n\n spyglass-w_1_.png\n\nSize\n362B (362 bytes)\nMD5\n3c0e6546a44bd9a0f2768df07db5c1c9 Copy MD5 to clipboard\nSHA1\neddf26d1da4a140f2f963b8564c4e99cd6f1a677 Copy SHA1 to clipboard\nSHA256\n83eec393865a35363695d6f2416792d0117f551bb3e41d13b141d70e6b35e02c Copy SHA256 to clipboard", "modified": "2025-12-07T18:01:48.980000", "created": "2025-11-07T19:25:26.827000", "tags": [ "germany asn", "as24940 hetzner", "status connect", "associated", "present nov", "germany", "moved", "present oct", "accept", "germany unknown", "web trebuchet", "ms lucida", "grande lucida", "sans unicode", "lucida sans", "tahoma", "passive dns", "title", "error", "gmbh ccp", "germany germany", "asn as197540", "response ip", "address google", "safe browsing", "present jun", "present may", "present mar", "present jan", "urls", "aaaa", "gmt content", "type", "tags", "tag groups", "countries", "add country", "malware att", "ck it1140", "information", "cisco", "umbrella rank", "automatic", "webgl", "please", "november", "typeof function", "topropertykey", "masonry object", "prism function", "cookies", "source level", "reverse dns", "protocol h2", "security tls", "asn24940", "online gmbh", "general full", "url https", "falkenstein", "community forum", "it url", "youtube videos", "twitch kanal", "discord channel", "spenden", "shop url", "google", "hetzneras", "http", "april", "de summary", "ehingen", "march", "google safe", "browsing", "learn", "issues tab", "value", "masonry", "domainpath name", "cgjerrieegagfw", "label", "input", "suchen nach", "suche", "form", "hash", "name value", "main", "flag", "contacted hosts", "ip address", "process details", "windir", "openurl c", "prefetch2", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "a domains", "ascio", "china unknown", "record value", "apache", "encrypt", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "related tags", "certificate", "hostname add", "url analysis", "files", "domain", "files ip", "address", "asn as24940", "less", "raspberry pi", "ubiquiti", "remote", "hostname", "pulse submit", "status", "entries", "x xss", "sameorigin x", "unicode text", "utf8 text", "click", "strings", "mitre att", "ck matrix", "pattern match", "ascii text", "href", "show process", "network traffic", "general", "hybrid", "local", "path", "monitored target", "spyglass", "spyware.", "pegasus systems", "prism", "colorado leg", "christopher p.ahmann", "ahmann", "christopher", "P", "tam legal", "treece", "alfrey", "muscat", "criminal", "jeffrey reimer", "theft", "remote connect", "schroeder dennis" ], "references": [ "Domain Name: schroederdennis.de | Status: connect", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "root-dns.netcup", "device-*******-*****-****-****-*********.remotewd.com", "ai-sandboxes.com", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "\u2026lie about the severity of injuries and do crap like this.", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "There are absolute losers in the dole illegally benefiting from the suffering others.", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "\u2022 http://demo.ideaboxthemes.com/prism", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com", "3ddruck-celle.de", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "sonarr.app.pineapplegod.co.nz", "http://svc.ghlink.com/svc/Authenticate/Applications", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "http://www.xonitec.com/pornosu/yuotubesex.html", "rowanandbenporn.ssssssssssssshadow.home64.de", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Packed.Rrat-9798963-0", "display_name": "Win.Packed.Rrat-9798963-0", "target": null }, { "id": "Win.Dropper.LimeRAT-9776087-0", "display_name": "Win.Dropper.LimeRAT-9776087-0", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Healthcare", "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1258, "hostname": 2018, "URL": 3033, "FileHash-SHA256": 651, "email": 4, "FileHash-MD5": 62, "FileHash-SHA1": 69, "SSLCertFingerprint": 5 }, "indicator_count": 7100, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "http://svc.ghlink.com/svc/Authenticate/Applications", "root-dns.netcup", "rowanandbenporn.ssssssssssssshadow.home64.de", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "There are absolute losers in the dole illegally benefiting from the suffering others.", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "Domain Name: schroederdennis.de | Status: connect", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "device-*******-*****-****-****-*********.remotewd.com", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "3ddruck-celle.de", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "sonarr.app.pineapplegod.co.nz", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "ai-sandboxes.com", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "\u2022 http://demo.ideaboxthemes.com/prism", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "\u2026lie about the severity of injuries and do crap like this.", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "http://www.xonitec.com/pornosu/yuotubesex.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Virtool:msil/injector.bf", "Other malware", "Win.dropper.limerat-9776087-0", "Win.packed.rrat-9798963-0", "Malware packed", "Ransomware" ], "industries": [ "Legal", "Healthcare", "Technology", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "692e2d950ac7d1e2a3454a4f", "name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack", "description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers", "modified": "2025-12-31T23:04:59.378000", "created": "2025-12-02T00:06:45.807000", "tags": [ "iocs", "drop", "network traffic", "ck id", "mitre att", "ck matrix", "network related", "detected", "t1566", "t1204", "united", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "learn", "suspicious", "informative", "name tactics", "adversaries", "command", "initial access", "spawns", "found", "binary file", "t1189", "regsetvalueexa", "regdword", "post http", "medium", "high", "regbinary", "loader", "dock", "write", "malware", "unknown", "romania unknown", "present may", "msie", "chrome", "body", "passive dns", "ip address", "present jun", "welcome", "accept", "encrypt", "gmt content", "ipv4 add", "url analysis", "urls", "files", "reverse dns", "unknown aaaa", "certificate", "hostname add", "error", "flag", "domain address", "contacted hosts", "type", "india unknown", "record value", "body html", "head title", "title", "entries", "read c", "high defense", "evasion", "yara detections", "virtool", "win32", "ahmann", "hacker group", "law firm", "order", "google", "smart assembly" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:MSIL/Injector.BF", "display_name": "VirTool:MSIL/Injector.BF", "target": "/malware/VirTool:MSIL/Injector.BF" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 112, "FileHash-SHA256": 589, "URL": 1795, "SSLCertFingerprint": 3, "domain": 319, "hostname": 847, "email": 1 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692e1b4122a419384f1add7f", "name": "Cutwail Trojan DownLoader | Driveby compromises | Redirect", "description": "Cutwail Trojan DownLoader | Driveby comprises | Malicious Redirects.\n\nSuspicious redirects from Google homepage to \u2018Doodle\u2019s\nHeavy , ongoing cyber attack. Affects, iOS, Android, Cellular networks (global)\n\nI\u2019m hoping OTX will fully pulse. Indicators will be pulsed fully relying on OTX auto\npulse alone. No references or input from me.", "modified": "2025-12-31T22:02:44.679000", "created": "2025-12-01T22:48:33.510000", "tags": [ "filehashmd5", "filehashsha256", "sha256", "filehashsha1", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "dynamicloader", "medium", "show", "entries", "dynamic", "pe section", "filehash", "md5 add", "pulse pulses", "av detections", "copy", "write", "flag", "misc activity", "et info", "cloudflare dns", "over https", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "google homepage", "html", "binary file", "ck id", "show technique", "mitre att", "ck matrix", "matched", "redirect", "t1189", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "ck techniques", "alert", "potential ip", "general", "click", "united", "analysis tip", "analysis", "tor analysis", "date", "c pe", "data upload", "extraction", "iocs", "manually add", "network traffic", "detected", "t1566", "submitted url", "t1204" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 95, "FileHash-SHA1": 95, "FileHash-SHA256": 183, "hostname": 227, "domain": 83, "URL": 575 }, "indicator_count": 1258, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690e47a694d9bc5c12d83bc0", "name": "LimeRAT | Dark Room Dennis | SpyGlassPrism HealthCare", "description": "Invasive, dark , illegal. Malicious. Will sift through malware Spyware systems. Perpetual remote connections. Employed by Tam Legals Christopher P. Ahmann (Colorado government) to spy on, tamper with , annoy, terrorize, out of financial awards. \n\n spyglass-w_1_.png\n\nSize\n362B (362 bytes)\nMD5\n3c0e6546a44bd9a0f2768df07db5c1c9 Copy MD5 to clipboard\nSHA1\neddf26d1da4a140f2f963b8564c4e99cd6f1a677 Copy SHA1 to clipboard\nSHA256\n83eec393865a35363695d6f2416792d0117f551bb3e41d13b141d70e6b35e02c Copy SHA256 to clipboard", "modified": "2025-12-07T18:01:48.980000", "created": "2025-11-07T19:25:26.827000", "tags": [ "germany asn", "as24940 hetzner", "status connect", "associated", "present nov", "germany", "moved", "present oct", "accept", "germany unknown", "web trebuchet", "ms lucida", "grande lucida", "sans unicode", "lucida sans", "tahoma", "passive dns", "title", "error", "gmbh ccp", "germany germany", "asn as197540", "response ip", "address google", "safe browsing", "present jun", "present may", "present mar", "present jan", "urls", "aaaa", "gmt content", "type", "tags", "tag groups", "countries", "add country", "malware att", "ck it1140", "information", "cisco", "umbrella rank", "automatic", "webgl", "please", "november", "typeof function", "topropertykey", "masonry object", "prism function", "cookies", "source level", "reverse dns", "protocol h2", "security tls", "asn24940", "online gmbh", "general full", "url https", "falkenstein", "community forum", "it url", "youtube videos", "twitch kanal", "discord channel", "spenden", "shop url", "google", "hetzneras", "http", "april", "de summary", "ehingen", "march", "google safe", "browsing", "learn", "issues tab", "value", "masonry", "domainpath name", "cgjerrieegagfw", "label", "input", "suchen nach", "suche", "form", "hash", "name value", "main", "flag", "contacted hosts", "ip address", "process details", "windir", "openurl c", "prefetch2", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "a domains", "ascio", "china unknown", "record value", "apache", "encrypt", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "related tags", "certificate", "hostname add", "url analysis", "files", "domain", "files ip", "address", "asn as24940", "less", "raspberry pi", "ubiquiti", "remote", "hostname", "pulse submit", "status", "entries", "x xss", "sameorigin x", "unicode text", "utf8 text", "click", "strings", "mitre att", "ck matrix", "pattern match", "ascii text", "href", "show process", "network traffic", "general", "hybrid", "local", "path", "monitored target", "spyglass", "spyware.", "pegasus systems", "prism", "colorado leg", "christopher p.ahmann", "ahmann", "christopher", "P", "tam legal", "treece", "alfrey", "muscat", "criminal", "jeffrey reimer", "theft", "remote connect", "schroeder dennis" ], "references": [ "Domain Name: schroederdennis.de | Status: connect", "remote.tecbuddy.de | remote.schneider-hv.de | remotedesktop.thedipling", "root-dns.netcup", "device-*******-*****-****-****-*********.remotewd.com", "ai-sandboxes.com", "Why Is this always a problem? Just curious. - http://wyblog.us/blog/rants/strikers-get-unemployment-benefits", "$ is funneled back to government, (quasi) , bonused \u2018doctors\u2019 State \u2018experts\u2019 who\u2026", "\u2026lie about the severity of injuries and do crap like this.", "This money belongs to people who paid insurance to cover on job injuries that happen in the job.", "Premise liability covers premises, employees and premises visitors. Weaponizing is not covered.", "Those attacked are the severely injured, survivors of dead workers, victims of providers.", "These people aren\u2019t in the dark. They are clear of the need to pay benefits.", "There are absolute losers in the dole illegally benefiting from the suffering others.", "https://hybrid-analysis.com/sample/00f5292bbe68d9edc68f9a22a750eafb58e4f8474e15a48e3cc217fbbd0cdef9/690e24bb39c801e6d80a824e", "\u2022 http://demo.ideaboxthemes.com/prism", "https://photoprism.thedipling.dns64.de/ \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "photoprism.thedipling.dns64.de \u2022 https://schroederdennis.de/wp-content/plugins/highlighting-code-block/assets/js/prism.js?ver=2.0.1", "\"OC47TWOY.txt\" has type \"ASCII text\"- [targetUID: N/A] \"spyglass-w_1_.png\" has type \"Unknown\"- [targetUID: N/A]", "\"spyglass-w_1_.png\" has type \"Unknown\" and extension \"png\" \"clock-g_1_.png\" has type \"Unknown\" and extension \"png\"", "Domain healthcareshapers.com \u2022 https://www.healthcareshapers.com/", "www.ventoxhealthcare.in \u2022 synertec-audit-cloud.healthchecks.prismcloud.uk", "https://cullenbehavioralhealth.theraplatform.com/ \u2022 amghealthnetwork.com", "3ddruck-celle.de", "wwwwww.publicpublicwww.portal.apple-apple-number3.ipv64.net", "sonarr.app.pineapplegod.co.nz", "http://svc.ghlink.com/svc/Authenticate/Applications", "https://sap.dswd.gov.ph.index.ph \u2022 login.prod.siecm.gov.mg \u2022 nre-362.dev.nre.gss.gov.uk", "sdp-dev-ingest.ci.lineageandprovenance.gss.gov.uk", "http://www.xonitec.com/pornosu/yuotubesex.html", "rowanandbenporn.ssssssssssssshadow.home64.de", "https://pagead2.googlesyndication.com/pagead/ads?ltd_cs=1&client=ca-pub-6165363645315831&output=html&adk=1812271804&adf=3025194257&lmt=1713778114&plat=3%3A16%2C4%3A16%2C8%3A4194304%2C9%3A134250504%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fschroederdennis.de%2Fubiquiti%2Fubiquiti-unifi-u6-plus-vs-u6-lite-vergleich-access-point-wifi%2F&pra=5&wgl=1&easpi=0&asro=0&uach=WyJXaW4zMiIsIjEwLjAuMCIsIng4NiIsIiIsIjEyNC4wLjYzNjcuNjAiLG51bGwsMCx", "https://urlscan.io/result/019a5fbd-e7c6-743a-b9a7-a20e8b2943cd/", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Packed.Rrat-9798963-0", "display_name": "Win.Packed.Rrat-9798963-0", "target": null }, { "id": "Win.Dropper.LimeRAT-9776087-0", "display_name": "Win.Dropper.LimeRAT-9776087-0", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Healthcare", "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1258, "hostname": 2018, "URL": 3033, "FileHash-SHA256": 651, "email": 4, "FileHash-MD5": 62, "FileHash-SHA1": 69, "SSLCertFingerprint": 5 }, "indicator_count": 7100, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "srv64.de", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "srv64.de", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780350379.4903677 }