{ "type": "Domain", "indicator": "git.io", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/git.io", "alexa": "http://www.alexa.com/siteinfo/git.io", "indicator": "git.io", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain git.io", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2489195852, "indicator": "git.io", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69e30ffa710fafb6d651ca89", "name": "Kelowna detachment - British Columbia by streamminingex", "description": "", "modified": "2026-04-18T05:46:36.582000", "created": "2026-04-18T05:00:42.166000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6570a552ac0b6570454709f7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1354, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1401, "email": 62, "domain": 1239, "CIDR": 8 }, "indicator_count": 11599, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e30ffde212f52470137868", "name": "Kelowna detachment - British Columbia by streamminingex", "description": "", "modified": "2026-04-18T05:46:26.897000", "created": "2026-04-18T05:00:45.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6570a552ac0b6570454709f7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1358, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1405, "email": 62, "domain": 1242, "CIDR": 8 }, "indicator_count": 11610, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d00b0ea85aaf98736", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.954000", "created": "2026-04-04T19:46:05.954000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d28330920cf77f5b0", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.437000", "created": "2026-04-04T19:46:05.437000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7c0f0657edc9c6d735", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:04.113000", "created": "2026-04-04T19:46:04.113000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7bc549fa66f964d19b", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:03.621000", "created": "2026-04-04T19:46:03.621000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2510383ceef34ed4df669", "name": "CAPE Sandbox", "description": "https://www.virustotal.com/gui/file/0cfb4d7ef8ad0e0378eb022ef107a0a6cc97e7e111228098e68ea8ac1c975a7e/relations", "modified": "2026-03-24T08:53:23.675000", "created": "2026-03-24T08:53:23.675000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 67, "FileHash-MD5": 131, "FileHash-SHA1": 109, "FileHash-SHA256": 109, "URL": 112, "domain": 82, "hostname": 126, "email": 1 }, "indicator_count": 737, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c25100c3e5a6096402ade5", "name": "CAPE Sandbox", "description": "https://www.virustotal.com/gui/file/0cfb4d7ef8ad0e0378eb022ef107a0a6cc97e7e111228098e68ea8ac1c975a7e/relations", "modified": "2026-03-24T08:53:20.270000", "created": "2026-03-24T08:53:20.270000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 67, "FileHash-MD5": 131, "FileHash-SHA1": 109, "FileHash-SHA256": 109, "URL": 112, "domain": 82, "hostname": 126, "email": 1 }, "indicator_count": 737, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c24230375c48e25e93161c", "name": "CAPE Sandbox", "description": "no problems.", "modified": "2026-03-24T08:08:11.711000", "created": "2026-03-24T07:50:08.453000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 277, "FileHash-SHA1": 232, "FileHash-SHA256": 232, "IPv4": 134, "URL": 260, "domain": 180, "hostname": 191, "email": 1 }, "indicator_count": 1507, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916d97edb28b2616ffac3ab", "name": "njRAT| BazarLoader| Darkside 2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "", "modified": "2025-11-14T07:41:19.912000", "created": "2025-11-14T07:25:50.524000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4037, "hostname": 2241, "URL": 2516, "FileHash-MD5": 1224, "FileHash-SHA1": 783, "FileHash-SHA256": 2796, "CVE": 10, "email": 25 }, "indicator_count": 13632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a801c7a6074eb73a688c51", "name": "#OpsBedil Targeted Attack: Malicious Windows Spyware VIM on OS", "description": "The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines; including: \nT1027 - Obfuscated Files or Information\nT1030 - Data Transfer Size Limits\nT1036 - Masquerading\nT1056 - Input Capture\nT1059 - Command and Scripting Interpreter\nT1070 - Indicator Removal on Host\nT1105 - Ingress Tool Transfer\nT1106 - Native API\nT1119 - Automated Collection\nT1134 - Access Token Manipulation\nT1140 - Deobfuscate/Decode Files or Information\nT1176 - Browser Extensions\nT1547 - Boot or Logon Autostart Execution", "modified": "2025-03-11T00:00:59.533000", "created": "2025-02-09T01:15:51.632000", "tags": [ "code", "range", "file offset", "ecxedi20xa", "edi0x6d", "ebp20x20", "esi0x67", "edx0x6f", "esi0x61", "ebp20x62", "hopper", "cve20072438", "normally", "use vim", "checkfile", "vimruntime", "checkdir", "vim project", "https", "bram moolenaar", "bram", "files", "silent", "insert mode", "down", "pumvisible", "vim script", "evim", "maintainer", "spellpopupmenu", "aunmenu", "tlunmenu", "loadbuffermenu", "revert", "difforig", "show", "ctrlu", "diffthis", "bail", "win32", "vim support", "remove", "comment", "genericname", "name", "keywords", "gvim", "edit", "zhcn", "editor", "metin", "rediger", "loadftplugin", "filetype", "expand", "amatch", "make", "sinsert", "middlemouse", "unix", "amiga", "mswindows", "loadindent", "end def", "visual mode", "shiftdel", "copy", "vim default", "selectmode", "insert", "load", "detectfiletype", "addoption", "optiong", "binoptiong", "optionl", "binoptionl", "header", "space", "python", "find", "open", "mark", "shell", "ruby", "install", "vim desktop", "substitute", "vunmenu", "paste", "script", "selectall", "word", "popup", "menu", "line", "close", "window", "back", "toolbar", "compiler", "next", "hack", "vimvimrc", "haiku", "openvms", "setsyn", "lang", "syntax menu", "description", "define", "setsyn function", "assembly", "maya", "bufnewfile", "bufread", "starsetf", "setf", "language", "visual basic", "xml au", "latex", "setfiletypesh", "endif", "lilo", "apache", "postscript", "rexx", "atom", "meta", "clipper", "desktop", "gift", "hercules", "julia", "mercurial", "pacman", "trigger", "puppet", "path", "powershell", "info", "ziggy", "speedup", "systemd", "form", "format", "calendar", "dracula", "config", "sfile", "esc", "iconv", "psflags", "if defined", "newitem force", "itemtype file", "iso88591 t", "utf8", "utf8 t", "iconvpath", "t iso88591", "makefile", "converted", "bob ware", "colorado school", "mines", "vim editor", "on your", "original copy", "please", "golden", "translation", "lesson", "enter", "type", "filename", "press", "normal mode", "repeat", "summary", "notice", "ruler", "test", "letzn", "mrkl", "zeil", "strg", "bewg nn", "end von", "druck", "dautticht", "zipf", "zaichen", "netty", "moveu el", "entrar", "premeu", "fitxer", "normal", "prova", "repetiu", "sumari", "desprs", "ara premeu", "cont", "ctrl", "ctrld", "append", "ctrlr", "ctrli", "shift", "backspace", "lekce", "napi", "dek oznaen", "normlnm mdu", "pesu", "stla", "soubor", "pesu kurzor", "opakuj", "toto", "lektion", "flyt", "skriv", "tryk p", "gentag", "bemrk", "filnavn", "nr der", "tryk", "zeile", "bewege den", "tippe", "zeichen", "cursor zu", "cursor zum", "kommandos", "cursor", "null", "tutor", "ctrlg", "shiftg", "shiftn", "msdos", "vimtutor", "capslock", "michael", "movu la", "leciono", "enenklavo", "kursoron al", "tajpu", "kursoron e", "testo", "premu", "dosiernomo", "resumo", "nova", "anon", "leccin", "mueva el", "intro", "pulse", "escriba", "para", "ahora", "insertar", "esto", "repita", "antes", "tenga", "como", "este", "leon", "tapez", "dplacez", "entre", "chap", "insertion", "puis tapez", "rptez", "appuyez", "lekcija", "otipkajte", "pritisnite", "ponovite", "kako bi", "insert mod", "prijeite", "saetak", "imedatoteke", "note", "windows", "yank", "mozgassuk", "fjlnv", "parancs", "lecke", "teszt", "j sort", "nyomja meg", "norml mdban", "ismtelje", "muovi il", "batti", "lezione", "invio", "premi", "ripeti i", "nomefile", "modalit normale", "adesso batti", "nota", "alla", "stata", "replace", "change", "subtitute", "school", "emiau", "spustelkite", "testas", "pirmj", "failovardas", "fail", "normalij", "santrauka", "ymeklis", "raid", "ramen", "tagad", "ievadiet", "piemram", "apkopojums", "lai izdzstu", "lai ievietotu", "ievadot", "ievrojiet", "js varat", "macos", "leksjon", "flytt", "trykk", "slette", "repeter", "erstatte", "sette", "kommandoen", "sett", "tips", "vise", "druk", "het commando", "herhaal de", "als je", "deze", "de cursor", "gebruik", "voeg", "bestandsnaam", "zorg", "mova", "digite", "teste", "agora", "pressione", "insero", "mais", "lekcja", "przenie kursor", "wcinij", "vima", "wpisz", "teraz", "powtarzaj", "nazwapliku", "uwaga", "jest", "dmesine", "ders", "ilk satra", "bu satrda", "normal kipe", "normal kipte", "daha fazla", "pomerite kursor", "otkucajte", "preite", "imefajla", "rezime lekcije", "za zamenu", "flytta", "filnamn", "normallge", "tryck", "om du", "sammanfattning", "genom", "lekcia", "presu kurzor", "presu", "napsanie", "zopakuj", "poznmka", "lcmessages", "lcall", "slovak tutor", "vim tutor", "amatria", "thevimproject", "slovak", "czech", "number", "motion", "ignore", "hjkl", "by gi", "di chuyn", "cu lnh", "u tin", "thay", "tntptin", "nu bn", "tng kt", "vim c", "lodi", "caps", "lock", "abc de", "command", "krishna", "spellerrors", "display dpy", "none", "false", "xfree", "sendinit", "isserialname", "staticspace", "xsync", "sendtovim", "main", "k command", "shell script", "vt100", "term vt100w", "dec locator", "vsnet", "tools", "external tools", "title", "arguments", "curline", "itempath", "init dir", "empty", "fbshtagsfp", "create", "options", "tags", "bourne shell", "perl", "fbkshfp korn", "tcl shell", "tk windowing", "parse", "new buffer", "buildcasetable", "printf", "buildwidthtable", "keys", "parsefoldprops", "parsewidthprops", "variabletags", "argv", "stephen riehm", "david woodfall", "getopt", "v include", "print version", "suppress", "reason", "file", "severity", "o ccfilter", "following", "this first", "ccfilter", "quickfix format", "though", "start", "john lange", "primitivem", "errorformat", "perl script", "executecore", "aerts", "sw developer", "sony telecom", "europe", "b1130 brussels", "belgium", "port", "host", "server", "vim channel", "chopen", "localhost8765", "json message", "linelength", "compilernames", "irix", "solaris", "hpux", "pablo ariel", "c compiler", "compilerqty", "usage", "project", "collector", "written", "ives aerts", "notes", "r decrement", "v verbose", "outputs", "o treat", "program", "q errorfile", "stdout", "copyright", "joerg ziefle", "perl w", "first", "maketag", "version", "exuberant ctags", "statement", "loop", "michael schaap", "support", "packagename", "look", "february", "push", "sgi mipspro", "error int", "error", "doit", "vim9 function", "nr2char", "c program", "vim quickfix", "awk script", "dec terminal", "make vim", "errors", "begin", "kirchgatterer", "opcodes syn", "addresses", "numbers", "types syn", "blocks syn", "strings syn", "program counter", "hilo byte", "quit", "todo todo", "aappythonscript", "python line", "python block", "blockline", "abap", "statement hi", "string hi", "structure", "vim abap", "abapr4", "marius piedallu", "james allwright", "april", "klmpqwvw", "comment hi", "type hi", "identifier hi", "constant let", "abel", "john cook", "johncook3", "a bunch", "todo xxx", "fixme", "c style", "abaqus", "carl osterwisch", "costerwi", "remark", "abaqus comment", "abaqus keyword", "include hi", "todo hi", "acedb model", "stewart morris", "thu apr", "syntax file", "acedb software", "xref syn", "rest", "preproc hi", "delimiter hi", "nikolai weibull", "include", "useroption", "options medium", "defaultprinter", "outputfirstline", "filecommand", "todo fixme", "martin krischik", "kind", "keyword", "mk bram", "standard", "character", "stype", "date", "vim syn", "altera ahdl", "x syn", "todo", "xnor syn", "specialchar hi", "builtin", "define hi", "builtin rect", "operator hi", "special hi", "dbus", "g3drop", "builtin dump", "builtin number", "builtin call", "redir", "stream", "screen", "function hi", "aflex", "lex syntax", "mathieu clabaut", "lastchange", "ada syntax", "aflex stuff", "patterns", "dominique pelle", "storageclass hi", "keyword let", "endlet", "htmlformat", "htmlcolor", "span", "htmlformatn", "foldcolumnbuild", "css1", "foldedid", "html", "generator", "fixme todo", "xxx note", "spell", "amigados", "campbell", "former url", "syntaxamiga", "krief david", "display drop", "beta cauchy", "irand224 syn", "normal poisson", "antlr4", "another tool", "yinzuo jiang", "jiangyinzuo", "july", "option value", "ben rubson", "hammers", "changelog", "option value1", "option", "value1", "david necas", "yeti", "base", "xxx not", "core", "antlr", "javacc parser", "azaz09", "parserend", "parserbegin", "token skip", "antsyntaxscript", "doug kearns", "zellner", "xmlcdatastart", "xmlcdataend", "xmltag", "xmlendtag", "ayer", "atch", "orkspace", "ngle", "rity", "mbol", "ffset", "istory", "osition", "xport", "stack", "tack", "digi", "flip", "shade", "cluster", "keyb", "arch", "moran", "ecode", "gnu arch", "source", "keyword hi", "simulate", "aptitude", "state", "yann amar", "quidame", "aptconf", "incomplete", "ebug", "autodetect", "fast", "marker", "score", "arduino", "hoff", "october", "license", "vim license", "arduino ide", "erik nomitch", "adam obeng", "artenterprise", "dorai sitaram", "ds26", "thilo six", "number hi", "edfghprs", "gnu assembler", "erik wognsen", "kdahlhaus", "kevin", "label hi", "macro hi", "title hi", "deprecated", "skip", "none hi", "claudio fleiner", "claudio", "end imports", "exports from", "implicitstags", "explicitstags", "absent present", "size universal", "strings", "aspperlscript", "perlscript", "aaron hope", "constant hi", "bwlsdxp", "macro", "specialchar", "error hi", "aspvbserror", "aspvbsfunction", "aspvbsmethods", "aspvbsstatement", "aspvbsnumber", "aspvbscript", "aspvbscomment", "aspvbs", "exits", "floating point", "asterisk", "tilghman lesher", "corydon76", "zonemessages", "atlas", "inaki saez", "jisaez", "flags bef", "orange syn", "containsasytodo", "asymptote", "avid seeker", "c syntax", "autodoc", "berg", "xml dl", "display", "contains", "borz", "kdpds", "oneline", "hotstring", "comspec", "hotkey", "reload", "common", "autoit", "soundplay", "autoit v3", "jared breland", "ping", "shutdown", "vim maintainers", "john williams", "action", "makefile syntax", "avenue", "arcview", "wagner", "esri", "string", "integer number", "operator syn", "xor mod", "hitachi h8300h", "xorc syn", "identifier let", "avr assembler", "avra", "avra home", "avra version", "marius ghita", "mhitza", "gawk ref", "functions syn", "awk ref", "effective awk", "programming", "keeps", "astro", "style", "fold", "enable", "astrojavascript", "htmlpreproc", "wuelner martnez", "html tag", "azaz", "ayaccuniongroup", "ayacc", "clusters", "aunis", "bash", "a formal", "method", "contributor", "csaba hoch", "undef", "defaultchar", "startstartfont", "bdfboundingbox", "containsbdftodo", "bibtex", "bernd feige", "ignore case", "xdata customa", "xref", "ams mref", "data", "basic", "quickbasic", "trim", "metacommands", "kill", "zonenumber", "bind zone", "mehnle", "slava gorbanev", "generates syn", "bcall", "vlado", "keywords syn", "string syn", "comment syn", "parent", "sulejman", "blank", "xspo", "bitbake", "chris larson", "kergoth", "daniel kho", "bsdl", "vhdl syntax", "tim pope", "vimnospam", "highlight", "imperfect", "bstnumber", "entry function", "integers macro", "bazel", "david barnett", "label", "digit", "john leo", "spetz", "boolean", "statuses", "bazaar", "dmitry vasiliev", "dima", "diff", "nospell", "synchronization", "baanerror", "selecteos", "updateerror", "d rows", "default", "selectempty", "selecterror", "updateempty", "union", "hooks", "normal hi", "case", "haskell cabal", "build file", "profunctor", "benchmark", "import", "cabalconfigpath", "cabal config", "original author", "cabalconfigkey", "false ghc", "cabal project", "true false", "cabalprojectnat", "boolean hi", "cparengroup", "cstringgroup", "ccommentgroup", "clabelgroup", "iso c99", "elifs", "ifndef", "ccppoutingroup", "optional", "accept", "public dtddecl", "entity catalog", "errormsg hi", "cdlcommentgroup", "raul segura", "acevedo", "xcheck", "childsname", "parentsname", "grpsdescription", "fixme xxx", "fullburn", "readdriver", "writedevice", "readdevice", "cfgcomment", "uncpath", "cfgstring", "cfgsection", "prischepoff", "on off", "yes no", "dos drive", "zhenyu", "documentation", "and fold", "operator", "punctuation", "transparent", "region and", "cfmlcorekeyword", "linden", "coldfusion", "skipwhite", "nextgroup", "cdrtoctrack", "cdtext", "performer", "silence", "zero", "softintegration", "cc interpreter", "declspec", "exception hi", "structure let", "built", "chaiscript", "jason turner", "lefticus", "escape", "web changes", "andreas scherer", "details", "cweb", "knuth", "silvio levy", "webcweb", "november", "haskell", "armin sander", "changelog file", "menesis", "vinschen", "june", "chatito", "observeroftime", "import syn", "intent syn", "slot syn", "cheetah", "max ischenko", "matches", "precondit hi", "evan hanson", "scheme", "chicken", "repository", "scheme syntax", "lighten", "heredocs", "cc syntax", "hse1", "chorus", "startofverse", "startofbridge", "startoftab", "startofabc", "startofly", "chordfont", "chill", "repeat hi", "avoid", "youngsang yoon", "image", "ccitt high", "this", "ember", "sifs0", "sinclude", "calendarinclude", "andrea callea", "chuck", "object event", "ugen array", "pieter van", "engelen", "arthur van", "leeuwen", "start syn", "int real", "char bool", "zamana", "flagship", "mario eusebio", "accept append", "blank from", "highlight value", "cmake", "comments", "match key", "cmakecachekey", "advanced", "highlight str", "stringstr", "nickspoons", "internal", "clever language", "clever", "multibase", "philip uren", "philuspax", "cmod", "cmodautodoc", "supports", "init init", "exit gcrecurse", "browser", "cocor", "shukla", "any characters", "context end", "from if", "nested pragmas", "to tokens", "cword", "fnameescape", "supplement", "must", "dgacfbe", "clojuretop", "arraychunk", "vecnode", "vecseq", "x00x7f", "partstart", "gondi", "inst", "etcdisktab", "acmsg", "acmsgtype", "hammesr", "yngve inntjore", "levinsen", "khym chanur", "james mccoy", "well", "anything", "conary recipe", "addallflags syn", "run automake", "makeinstall syn", "install copy", "move symlink", "link remove", "doc syn", "crm114", "modemsg hi", "imported", "target", "true", "interface", "quiet", "private", "write", "multi", "never", "unknown", "fatalerror", "sensitive", "android", "download", "guard", "exact", "locale", "trace", "alphabet", "john hoelzel", "hours days", "commands", "llll", "hminsmsusnsi", "ffll", "ken shan", "ccshan", "context", "synname", "startstartz", "endstopz1", "mptop", "luatop", "csccommentgroup", "if else", "endif elseif", "lev sy", "iallancestors", "curgen sy", "warningmsg hi", "essbase", "prior", "descendants", "cshell", "syntaxcsh", "variables", "luul", "csall", "srecord", "az09", "processes", "amsettimer", "sdlmatch", "default hi", "fdr input", "maxim kim", "habamax", "functions", "predefined term", "end predefined", "term variables", "century term", "csdl", "jacek artymiak", "c22032019", "call", "replacing", "comp", "recognize", "ascii", "existing syntax", "ctrlhbold", "ctrlh", "module level", "prop", "media", "cuda", "nvidia compute", "unified device", "architecture", "terriberry", "device global", "host managed", "shared syn", "restrict", "cupl simulation", "cupl syntax", "matt dunford", "sat nov", "statement let", "tex syntax", "cweb source", "cc material", "webincludedc", "double", "rc file", "dada", "dadas", "etant", "scen", "regel", "pero", "esquema", "tapi", "kada", "dados", "maka", "fono", "cupl", "valid integer", "signal", "phil derrick", "phild", "cynpp", "cynlib", "cynlib syntax", "posedge negedge", "changed syn", "instantiate", "out inst", "url http", "default cynscon", "standard syntax", "include debian", "match uri", "addremove", "byhash", "christopher", "dcod trts", "tnxt crlf", "labl syn", "cequ cneq", "cgte clte", "cbit clse", "dcomment", "jason", "pragma", "4857", "digital command", "sword", "mine", "conditional hi", "dart", "eugene pr3d4t0r", "ciurana", "former", "gerfried fuchs", "alpha", "rust", "datascript", "dscommentgroup", "comment let", "debcopyright", "orig author", "rob brady", "robb", "wu yongwei", "library stub", "code windows", "dos syn", "exports imports", "dep3 patch", "gabriel filion", "gabster", "specification", "authorfrom", "adminemail", "lockfile", "matthijs", "match", "ttext", "ccategory", "fflag", "llicense", "rock linux", "ren rebe", "spell syn", "lastline syn", "filter", "disablestrat", "s un", "r en", "jakson alves", "ansi sgr", "ansi sgr8", "jan larres", "term left", "black", "green", "contact", "charityware", "uganda", "entry", "block", "parasitic", "parameter", "devicemos", "rules", "device", "diva", "toby schaffer", "categories", "exectryexec", "unmounticon", "at wp", "chat", "django", "django template", "dave hodder", "dnsbind zone", "docbook sgml", "cest let", "docbook xml", "docbook", "devin weaver", "shlomi fish", "auto detect", "syntax xml", "sgml", "syntax sgml", "rory hunter", "json", "dockerfiles", "honza pokorny", "onbuilds", "from", "add arg", "cmd copy", "mike williams", "mrmrdubya", "windows nt", "msdosms windows", "mckee", "nima talebi", "hong xu", "sept", "keyword hilink", "hilink", "error hilink", "nargs hilink", "markus mottl", "enclosing", "scott bordelon", "wed apr", "cadence", "automation", "design rule", "checking", "layout", "schematic", "dsssl", "cest", "example", "xmlregionhook", "dtml", "dtml syntax", "zope", "markup language", "jordaan", "doxygenhtmltop", "synlink", "link", "syncolor", "strong", "reflink", "cpreprocgroup", "actions", "dtrace d", "d script", "solaris dynamic", "tracing guide", "nicolas weber", "nicolasweber", "first line", "probe", "turn", "entity", "matchgroupnone", "document type", "definition", "brabandt", "dune", "anton kochkov", "samuel hym", "simon cruanes", "kawahara satoru", "urkedal", "etienne millon", "dylan", "justus", "fri sep", "include let", "dylan library", "interface files", "brent fulgham", "bfulgham", "string let", "fulgham", "dnsmasqkeyword", "dnsmasqrange", "editorconfig", "anders", "edif version", "edif", "artem zankovich", "zartem", "5481988", "john beppu", "beppu", "ecd file", "embedix linux", "elm filter", "syntaxelmfilt", "elmfiltnumber", "brssow", "environments", "wraparound", "elinksnumber", "elinkscolor", "savingstylew", "imagelinksuffix", "homepage", "current void", "selse", "sthen", "eiffel", "joseph hager", "ajhager", "typedef hi", "lambda", "xxxx", "kresimir marzic", "oscar hellstrm", "oscar", "kornel", "syntax", "label highlight", "type highlight", "identifier", "george", "exec sql", "preproc let", "esterel", "luca necchi", "nikos andrikos", "esterel regions", "esterel types", "esterel comment", "identifiers", "euphoria", "builtins", "function", "reset", "should suffice", "etermgeneral", "d0xx", "mod5", "rubytop", "eruby", "erubysubtypezsw", "conventional", "text", "generated file", "david nev", "setup", "expect", "normal expect", "ralph jennings", "knowbudy", "user", "sysv", "bsd isms", "syntaxexports", "optset", "eviews", "vaidotas zemlys", "zemlys", "az4857", "assembler", "fasm", "ron aaron", "vim url", "fasm home", "fasm version", "xmm0 xmm1", "xmm2 xmm3", "dwayne bailey", "dwayne", "fdcc", "definitions", "iso tr", "unicode", "shell command", "output", "array", "fantom", "service", "bridle", "informix", "update", "abort abs", "absolute accept", "access acos", "add after", "allocate alter", "drop", "fishnext", "fishstatement", "fishterminator", "fishargument", "nicholas boyle", "flexwiki", "reilly", "home", "fuse", "modify", "table", "pascal makefile", "sections", "comments syn", "forth79", "forth83", "char", "forth83 syn", "body", "noname", "class", "local", "tung", "thu oct", "thomas reiter", "manipulation", "book", "document", "textfile", "apply", "formats", "popu", "crea", "modi", "memo", "defi", "disp", "dele", "appe", "repl", "proj", "alia", "cmon", "nvert", "mwin", "uniq", "blin", "carr", "story", "mult", "rator", "fortran", "ends", "cray", "ulllull", "stop", "fvwmm4", "mainsyntax", "fvwm2m4", "include m4", "include fvwm2", "fvwm1", "hss1", "general syn", "szsw", "check", "journal", "hold", "fvwm", "cursormove", "edgeresistance", "modulepath", "noborder", "windowlistskip", "backcolor", "sticky", "refresh", "buttons", "exclam", "slash", "gdmo", "iso101654", "guidelines", "managed object", "gyuman", "chester", "godot resource", "section syn", "ssss", "gdb command", "simon sobisch", "isplay", "unset", "linkurl", "gemtext markup", "suneel freimuth", "heading", "list", "quote", "heading special", "list statement", "godot", "bug hack", "gitdiff", "dddd", "endt", "commit", "question hi", "giftcef", "linenr hi", "giftceffw", "giftce", "conceal hi", "gedcom", "paul johnson", "december", "abbr addr", "adop adr1", "adr2 afn", "godot gdscript", "website", "pattern", "attribute syn", "macro syn", "gitcommitdiff", "your", "todo let", "crrw", "creator", "xexec", "syn match", "az4857 syn", "adam monsen", "opengl shading", "modified", "godoc", "title let", "gocommentgroup", "chan", "foldenable", "packagecomment", "integer hi", "todo regexp", "todos", "josh wainwright", "dot ja", "at gmail", "dot com", "karim belabas", "texstyle syntax", "todo syntax", "todd zullinger", "daniel kahn", "gillmor", "containsgpgtodo", "gprof output", "flat profile", "gretl", "gretl genr", "variable", "grads", "fronzek", "grid analysis", "display system", "grads scripting", "variables syn", "gnashkeyword", "gnashcomment", "gnashtodo", "solreadonly", "solsafedir", "john marshall", "jmarshall", "pedro alejandro", "lpezvalencia", "ddd0xx", "pager", "terminal", "chainloader", "groovytop", "exception", "groovy", "debug hi", "gtk theme", "packer", "conceal", "json syntax", "single", "trailing commas", "fixme note", "gnu server", "pages", "source html", "include java", "redefine", "argc argv", "begin begg", "end endg", "graph", "vim source", "matchlist", "vimsrcdir", "both", "getqflist", "cent", "kword", "c function", "small", "light", "vimcontinue", "endstr", "gensynvim", "vim9 syn", "vimexprlist", "magic", "hamlrubytop", "hamlcomponent", "hamltop", "haml", "hamlhtmltop", "david fishburn", "sun oct", "hamster classic", "hamster", "harepostfix", "hare", "vim syntax", "amelia clarke", "selene", "haredoc", "miscellaneous", "haste", "vlsi ic", "c preprocessor", "09afaf", "treat", "varid", "error let", "hbfilename", "hbhtmlstring", "hbhtmltagn", "hbhtmltag", "hbdirectivelib", "hbdirectiveset", "hbdirectiveout", "kkmmgg", "upstream", "a block", "szskkzes", "vim program", "restorer", "defunct", "aprl", "helplang", "intel hex", "sams ricahrd", "data digit", "folding data", "records", "record syn", "ignore hi", "vim help", "ident", "dana edwards", "danaedwards", "ic design", "preprocessor", "spacings", "resolutions", "ranges", "slhg", "hgcommitdiff", "sapling", "ken takata", "kentkt", "max coplan", "float hi", "hls playlist", "benot ryder", "comment line", "hogvar", "hogopnot", "hognumber", "hogipaddr", "hogcomment", "hogport", "hogoprange", "hogcomment syn", "hogstring", "bind", "elseif", "html template", "dennis", "htmltop", "htmljavascript", "onas", "htmlxml", "idem", "aria", "m4top", "htmlm4", "htmlos", "repeat syn", "aestiva", "jason rust", "jrust", "django html", "scomment", "i3configident", "i3configstrin", "i3configvalue", "focus", "i3configsh", "i3configstrvar", "i3configcommand", "i3configcolvar", "moving", "itanium", "parth malwankar", "pmalwankar", "file version", "masm syntax", "mark manning", "markem", "allan kelly", "ibasic file", "icewm menu", "james mahler", "fri apr", "icewm", "ids menu", "icon special", "icemenu", "data language", "ajelenak", "paren hi", "paren", "billshannon", "nlps", "npro", "graphics", "iconpregroup", "icon", "wendell turner", "prelude", "inbpc", "ddspe", "leaderscopy", "fontname", "badness", "elan ruusame", "shtop", "value", "args", "substituted", "macros", "ipfspecial", "ipftodo todo", "hendrik scholz", "hendrik", "openbsd pf", "ipfcomment", "xxx fixme", "donovan keohane", "syndisplay", "global", "verbextend", "double2", "snote", "david brgin", "dbuergin", "continuedoelse", "argv binpath", "cr crlf", "del debug", "eav empty", "inno setup", "my innosetup", "jason mills", "enterdisk syn", "sdsetuptype syn", "ifdef", "elif", "else", "cortopassi", "istoutspec", "peter meszaros", "pmeszaros", "istinpspec", "istcharacter", "istnumber", "istcomment", "jamcommentgroup", "jamparengroup", "ralf lemke", "xxx syn", "jargon file", "dan church", "label let", "javascript", "jls17", "see https", "javatop", "javadoctags", "javahtml", "tx0cr", "javamarkdown", "markdowninline", "jinja", "jinja template", "names syn", "standard jess", "jess", "paul baleme", "pbaleme", "jonas munsin", "xaxis yaxis", "x cross", "number let", "javacc", "java compiler", "javasoft", "vim compiler", "vito", "doc comment", "note xxx", "jspjava", "java server", "rgarciasuarez", "darren greaves", "patch", "thomas kimpton", "software", "eli parra", "json keywords", "jsonc", "izhak jakov", "izhak724", "acknowledgement", "kevin locke", "remove syntax", "json5", "mazunki hoksaas", "guten ye", "ywzhaifei", "syntax setup", "endz1", "kconfigconfigif", "abstract", "juliaexprsnodot", "regex", "naninf", "kdlnumber", "kdlnumber d", "aram drevekenin", "kotlin", "generated", "annotation syn", "kix2001 syn", "kixtart", "handle", "trap", "michael piefel", "entwurf", "cpp mode", "preproc", "error highlight", "storageclass", "delimiter", "sysvars", "false true", "kivy", "corey prophitt", "corey", "load python", "kivy language", "define kivy", "lace", "jocelyn fiat", "constants syn", "latte", "nick moffitt", "pre tag", "elsa", "glapagrossklag", "riley bruins", "ribru17", "keywords syntax", "sections memory", "overlay phdrs", "version include", "absolute addr", "names", "ldapconfcomment", "iso dialect", "modula2 dialect", "modula2 input", "styles", "error endif", "august", "pim dialect", "modula2", "longbitset", "procedure", "r10 dialect", "sto dos", "ldap ldif", "zak johnson", "zakj", "less", "jenoma", "todo optimize", "orce", "arset", "prox", "cache", "agent", "haskelltop", "lhstexcontainer", "ian lynagh", "tex markup", "bird style", "markdown style", "tex style", "lexccode", "user code", "flex", "van engelen", "patrick texier", "lifelines", "xref tag", "liquid", "liquidstatement", "yaml front", "matter", "liquidyamltop", "acdfmnrstuklp", "lilonumber hi", "number list", "niels horn", "lite", "liteinside", "lutz eymers", "ixtab", "email", "sql syntax", "errmsg", "livebook syntax", "lisplistcluster", "clisp ffi", "standard lisp", "keyword lispkey", "litestepdir", "litestep rc", "nethood", "winnt", "lotos", "is8807 syn", "specifications", "is8807", "daniel amyot", "damyot", "wed aug", "except", "logtalk", "logtalk entity", "term", "logic", "chfnauth", "chshauth", "createhome", "defaulthome", "lout", "report", "lambdaprolog", "teyjus", "vim version", "general", "lpccommentgroup", "lpcefungroup", "nodule", "lpcparengroup", "lpcpreprocgroup", "echo", "poet", "timo frenay", "timo", "labels syn", "lotusscript", "taryn east", "ultraedit", "textpad", "activateapp as", "base beep", "call case", "scott bigham", "colorterm", "luau", "marcus aurelius", "farias", "carlos augusto", "collapsebrtags", "lynx web", "lynx", "todo note", "uploader", "lyrics", "lrcnumber", "quake", "operators", "hascbackend", "pkg syn", "definelib syn", "definepgm syn", "importm3lib syn", "fleiner", "mainsyntaxm4", "mailquoteexps", "mail", "felix von", "leitner", "am est", "ascii character", "froms", "mallard", "jhradilek", "mallard markup", "draft", "skipnl", "roland hieber", "overrule", "ostype", "manconfcomment", "build", "suffix", "mason", "perltop", "hinrik rn", "sigursson", "pentium", "abgl", "ceopsz", "offset", "align", "floatingpoint", "vpmaxsq syn", "integer", "maple", "release", "focus master", "define syntax", "filename suffix", "segname segtype", "mtaddon", "matlab", "alex burka", "bbddeess", "all functions", "except keywords", "maxima", "robert dodier", "mermaid", "craig maceahern", "4857192255", "self", "accdescr", "click", "meson", "liam beguin", "zpetkovic", "disabler", "wikitop", "containshtmltag", "wikitableformat", "mediawiki", "yakov lerner", "rfc3339", "james vega", "melgroup", "maya extension", "robert minsk", "jason franklin", "sunghyun nam", "goweol", "mudunuri", "version info", "ctrlh syntax", "markdown", "matchstr", "metafont", "page", "latest revision", "magic point", "spam", "xfont vfont", "gero kuhlmann", "gero", "snmpv1", "snmpv2 mib", "martin smat", "msmat", "david pascoe", "pascoedj", "ax16", "donald knuth", "taocp", "mmix", "dirk hsken", "knuthstyle", "precondit endif", "pcimapfile", "parportmapfile", "model", "nil nil", "true syn", "symbols", "mmatop", "stub", "peter funk", "getdialect", "timo pedersen", "dat97tpe", "whitespace", "any array", "mookeyword", "dilnt", "multiplication", "mojonumber", "mojo", "stuff", "monk", "seebeyond", "mike litherland", "dirk van", "deun", "metapost", "manual", "autosync", "dumpvideo", "loadidx", "rawvideo", "tsprog", "color", "tabtitle", "am cdt", "pm est", "dummy", "ms message", "kwl7", "common ms", "messages", "ms idl", "vadim zeitlin", "vadim", "msql", "env variables", "inlclude", "modsim iii", "philipp jocham", "march", "actid all", "and as", "murphi model", "diego ongaro", "integers", "nspemit", "switch", "mushcode syntax", "rick bird", "clock", "dbck", "dump", "hook", "motd", "notify", "nuke", "restart", "snoop", "stats", "teleport", "attributes", "prettyprint", "libpath", "promylibdir", "attributes syn", "mupad source", "dave silvia", "dsilvia", "ymwd", "cciskaf", "float", "mysql", "pronovici", "encrypt", "namednotnumber", "nick hibma", "location", "marcin", "chaos", "dmap", "modules", "control section", "nastran", "tom kowalski", "any integer", "n1ql", "eugene ciurana", "merge syn", "nest syn", "pr3d4t0r", "vim command", "natural", "nasm", "iend", "movs", "time", "interval", "size", "directory cache", "cache buffers", "minimum file", "count", "daylight", "miner", "keith smiley", "login", "netrwtreegroup", "diffchange hi", "netrw listing", "toplevel", "readtoken", "nixexpr", "daiderd jordan", "daiderd", "region match", "bufenter", "syntax event", "synset", "checked", "muttvars", "neomutt", "bounce", "nsisanyopt", "statements", "nsis", "music", "rcx2", "scout syn", "rcx2 syn", "nqcparengroup", "rcx syn", "nqccommentgroup", "modes", "scout", "stefan", "module", "nginx module", "nginx", "http", "gost", "comet", "speed", "sphinx", "curv", "mtllibs", "exmaintainer", "anthony hodsdon", "objc syntax", "odin", "ms44", "and or", "occamnumber", "group", "omnimark", "paul terray", "mailto", "activate again", "catch clear", "close copy", "ocamltypeexpr", "ocamlallerrs", "jon parise", "ondirshell", "operator let", "objc type", "smes12", "qualifiers", "smes7", "smes19", "preparation", "protected", "structure hi", "openscad", "niklas adam", "luis moreno", "abort all", "alter and", "any as", "asc at", "oplstatement", "oplnumber", "open psion", "epoc16epoc32", "af09", "openvpn", "openvpnnumber", "openvpnsignal", "hupinttermuser", "containstop", "keepend", "eval", "menumode", "endurance", "blade", "illusion", "sneak", "onload", "disablemouse", "getclass", "notes todo", "containsallbut", "spells", "ronan pigott", "ronan", "alpm", "tcpip", "gclckprocs syn", "oracle config", "sandor kopanyi", "oraall", "protocol syn", "bequeath syn", "latest change", "haochen tong", "withconceal", "inlinecode", "super", "pappperl", "papphtml", "cdata", "perlinterpdq", "marc lehmann", "perlexpr", "config file", "lennart schultz", "string keywords", "protobuf text", "lakshay garg", "crgut", "tim chase", "austin", "pcctsinrule", "cpptoplevel", "pccts", "nextstep syn", "openbsd packet", "lauri tirkkonen", "sloadsanchor", "phtml", "perlinterpsq", "perlinterpmatch", "perlinterpslash", "perldata", "portb syn", "intcon syn", "gie eeie", "t0ie inte", "rbie t0if", "intf rbif", "microchip", "pdfxml", "nrtbf", "font", "palm os", "schau", "font id", "beware", "data syn", "postfix", "kelemen peter", "peter", "kelemen", "anton shestakov", "pikestmt", "pikebadgroup", "pike", "pine", "thu feb", "macro let", "httpviewer", "infopath", "longmanuallinks", "filter0xb7", "plaintexmath", "glue", "acute", "cdhoopstuvijll", "rrowvert", "skewsqrt", "mega", "phpinnerhtmltop", "phpclfunction", "phpcltop", "refer", "cphil", "number support", "c language", "does", "address and", "dword", "juerd", "plpperl", "plpend syn", "counter syn", "pl1commentgroup", "pl1parengroup", "declare dcl", "procedure proc", "loops", "podformat", "ibsclfx", "perl pod", "poe item", "show hide", "minimal", "address", "obsolete", "openclose", "bjoern jacke", "bjacke", "povray", "syntax syn", "off true", "false yes", "ppwizard", "dennis bareis", "ppwizargval", "constants", "plsqlparengroup", "oracle", "plsql", "klaus muth", "klaus", "altf amcr", "arc asfn", "astk barc", "blk box", "call syn", "cass cir", "melchior franz", "mfranz", "sonia heimann", "todo tbd", "privoxy", "prolog", "promela", "mon oct", "thu aug", "promela types", "class linking", "ps ll3", "dsc comment", "device gstate", "ps level", "postscrstring", "escaped", "matrix", "courier", "buffers", "redistributions", "this software", "including", "but not", "limited to", "pbcommentgrp", "google", "az09az", "posix", "rex barzee", "rexbarzee", "aclqrv", "a af", "ag ax", "e ef", "eg ex", "certain", "ps1comment", "purify header", "informational", "warning", "corrupting", "fatal", "haakon riiser", "hakonrk", "c syn", "pypa", "commands syn", "globs", "line break", "pyrex", "marco barisione", "python syntax", "olor", "chars", "progress", "ation", "progressdebug", "progressnumber", "edure", "progresstodo", "eter", "daniel", "sage", "widget", "rage", "python library", "reference", "quarto", "aquino", "vim runtime", "quickfix", "directory hi", "hee1", "lookdown lookup", "quakeoctalerror", "quake12command", "noprefix", "console", "onoff", "qb64", "z2z1", "qmlexpr", "radiance scene", "georg mischler", "radiance", "greg ward", "surface", "raccruby", "rule", "racc input", "dobie", "xdobie", "handling", "vector", "types syntax", "raml", "restful api", "hopkins", "rofi advanced", "pierguill", "common rc", "resource", "heiko erhardt", "language syn", "bitmap icon", "cursor cursor", "cmash", "ratpoison", "magnus woldrich", "djkea2", "bulls eye", "force control", "number syn", "rapid", "azazxc0xff", "azazxc0xff09", "rakuinterpqq", "rakuregexen", "rakuregexp5", "rcs log", "joe karthauser", "rcs file", "revision", "yyyy", "rebol", "yer todo", "words syn", "view", "view tabs", "spaces", "vicharsearch", "viprevword", "viendword", "visearchagain", "vinextword", "registry key", "registry export", "ulitin", "head", "regedit4", "win9", "bytes", "paths", "xxx bug", "davide alberani", "remind", "ben orchard", "rem omit", "mit license", "raimon49", "permission", "software is", "resolvipcluster", "ipv6 support", "09azaz", "radu dineiu", "hidesymbol", "r help", "r code", "epsilon", "kappa", "slabelsk", "over", "relax ng", "containsrnctodo", "rnoweb", "highlighting", "rnowebr", "ranke", "ferraz pereira", "rosa", "extension", "bytestream", "andrew bromage", "frameend", "worldbegin", "worldend", "attributebegin", "attributeend", "todo improve", "handles", "todo are", "redif", "axel castellane", "templatetype", "and add", "alex zvoleff", "configuration", "r syntax", "syntaxrpcgen", "mikrotik", "cidr notation", "cycle", "exit", "catch", "rpl2", "rmdlatex", "yaml header", "highlight code", "rmdr", "text format", "rich text", "control words", "new control", "rstcruft", "salt state", "jinja runtime", "star", "disallow syn", "disallow", "samba", "new maintainer", "ntlmv2 syn", "synfold", "rubymodifier", "sasbasicsyntax", "add syntax", "sasgraph", "yrdif yyq", "template", "mixin", "extend", "return", "steven dobay", "stevendobay", "sather", "science", "institute", "dede", "scilab", "benoit hamelin", "containedgroup", "preproc syn", "aclchg", "acldel", "aclgrp", "aclumask", "lockscreen", "zombie", "scss", "puria nafisi", "azizi", "always", "ip adresses", "verify", "synopsys design", "constraints", "tcl vim", "thu mar", "tcl syntax", "tcl extension", "xor syn", "task else", "nextstate syn", "in out", "with from", "ebcdic", "closedelay", "txtrigger", "spdnormal", "portd", "comment hilink", "sexplib", "atoms syn", "lists", "clst", "sgml charset", "capacity scope", "features", "baseset descset", "simple", "shfoldheredoc", "shfoldifdofor", "shlooplist", "shfunctionlist", "shidlist", "shecholist", "shcaselist", "shdblquotelist", "provides", "sgml specific", "space crlf", "dquote syn", "percent", "mp luacall", "alephversion", "uchar", "udelimiterunder", "umathchardef", "umathruleheight", "umathstackvgap", "umathxscale", "uoverwithdelims", "hai tp", "bestanden", "hanya dalam", "fiierele", "tp tin", "aemacron amstex", "aacute", "abrevehook", "afterpar", "agrave ahook", "amstex amacron", "atilde", "beforepar beta", "bigm", "delta", "oldstable", "experimental", "bullseye", "trixie", "forky", "focal", "jammy", "devel", "buzz", "maverick", "keyword syntax", "typescriptvalue", "title syntax", "typescripttype", "blabla", "sicad", "zbranyiczky", "irpt", "irptl", "mes1", "swift project", "simula", "simula syn", "keyword end", "when", "nagle", "main url", "comparison", "load sinda", "on si", "off eng", "sieve", "skill", "nsqn", "dirfile", "pnamestring", "pathversion", "schemeskill", "afterbefore", "tolist", "renderman", "dan piponi", "specialkey hi", "headers", "nontext hi", "jan hlavacek", "xuserblock", "for loop", "userblock", "null syn", "tracedrop", "daheartbeat", "slpregcomment", "spi file", "private public", "slrn score", "preben peppe", "guldberg", "age bytes", "syntaxsm", "smarty", "mon nov", "constant", "slice", "zeroc", "morel bodin", "smcl", "stata markup", "jeff pitblado", "jpitblado", "statasmcl", "directive", "smith", "smil", "herve foucher", "smil boston", "animation syn", "smlallerrs", "smlaenoparen", "fabrizio zeno", "cornelli", "zeno", "snns network", "snns http", "lln lun", "toff soff", "ctype syn", "snns", "maximum", "maximum output", "stringcomment", "initvalvalstr", "mono", "snobol4", "rafal sulejman", "site", "csnobol", "parens", "cothi", "afpnumkg", "spice circuit", "noam halevy", "insensitive syn", "spice", "splintallstuff", "splintannotelem", "ralf wildenhues", "splint home", "c code", "purpose", "buildinstall", "linux rpm", "freund", "ormeir", "wed oct", "spyce", "rimon barr", "rimon", "spupordinary", "input output", "spuptextproc", "type stream", "bugs", "execution", "snns result", "fishburn", "thu sep", "sqloracle", "buffer", "sqlforms", "austin ziegler", "prev change", "todo find", "xpos", "java syntax", "sqlj", "sap hana", "upper case", "upper", "schema syn", "user syn", "memory database", "sql syn", "spl syn", "comment syntax", "query language", "adaptive server", "anywhere", "xpscanf syn", "methods syn", "starea syn", "stcentroid syn", "stperimeter syn", "paul moore", "oracle nquote", "diffadd hi", "diffchange let", "section", "query report", "writer", "nathan stratton", "treadway", "jeff lanzarotta", "squid", "thanksto", "ilya sher", "iso8601", "subrip", "range syn", "ddd skipwhite", "bold", "sections syn", "override", "smalltalk", "arndt hesse", "hesse", "openssh client", "jakub jelen", "jakuje", "dominik fischer", "openssh server", "conditional", "repeats", "types", "globals", "statafuncgroup", "statamacrogroup", "stataparengroup", "rmcoll syn", "invftail", "invibeta", "haseprop", "mata", "structurizr dsl", "venthur", "hsiaoming yang", "lepture", "marc harter", "sudoersuser", "lazy", "generic", "swig", "julien marrec", "apache license", "runtime library", "vim maintainer", "emir sari", "nowarn", "i3confignumvar", "endze", "josef litos", "james eapen", "nargs syncolor", "nargs synlink", "syncolor type", "syncolor ignore", "syncolor added", "preproc synlink", "type synlink", "special synlink", "budden", "ingo karkat", "myk taylor", "install syntax", "syntax au", "systemverilog", "verilog syntax", "tads", "amir karger", "karger", "history info", "syntaxtags", "tak2", "tak3", "tak2000", "tak compare", "tak output", "load tak", "tar listing", "type let", "john florian", "wed jul", "key names", "values", "characters", "uuids syn", "rufus cable", "verbose tap", "rufus", "tap output", "pass", "foolman", "cmovsetj", "borland", "united force", "vector graphics", "verbose", "known template", "xfire user", "tcshvarlist", "tcsh", "gautam iyer", "ttlconstant", "term language", "tera term", "kcpy kcrt", "eenlrtbfs", "xhp xhpa", "xt xenl", "msgr", "tclspecialc", "tcltk", "taylor venable", "taylor", "system", "geometry", "tss syn", "typescript", "kao weiko", "jose elera", "campana", "zhao yi", "scott shattuck", "irc channel", "freenode", "vim filetype", "andy lester", "tt2topcluster", "typescriptreact", "react", "strpart", "include perl", "rawperl", "moriki", "atsushi", "ucnumber", "unrealscript", "openwrt unified", "colin caine", "fancy", "normal let", "typstcode", "matchgroupnoise", "noise highlight", "hashtag", "typstmarkup", "noise", "motif uil", "user interface", "thomas koehler", "september", "import hi", "anton", "prunefs", "prunenames", "prunepaths", "prunebindmounts", "upstart", "upstart job", "michael biebl", "biebl", "james hunt", "archivebit syn", "datelimit syn", "daysold syn", "deleted syn", "destination syn", "dirsonly syn", "drivealias syn", "filedate syn", "filedelete syn", "files syn", "msid", "innovation data", "rob owens", "ull ulls", "msg types", "ip address", "agtpcsrv", "profile", "version date", "ms windows", "action devpath", "valgrind memory", "debugger output", "roger luethi", "program url", "christoph gysin", "valve data", "tag syn", "wend", "prather", "pratam", "minor", "iskeyword", "xnor xor", "veraparengroup", "veralabelgroup", "vhdl", "linting", "vhsic", "high speed", "new style", "verilog", "mun johl", "485763", "vos cm", "andrew mcgill", "az syn", "bwlfdgh", "fdgh", "bwlqofdgh", "psect", "virata aconfig", "virata", "viratahexnumber", "execoptions", "ewind", "uffer", "malt", "wind", "vrmlevents", "vrmlfields", "vrmlcomment", "vrmlprotos", "vrmlnodes start", "externproto", "proto", "vgrindefs", "vgrindefs file", "profilesetzss", "java source", "parmp", "novimmain", "extern", "mswin", "featguimswin", "vimdll", "editnone", "level", "heading level", "vimtestsetup", "noop", "java language", "nontext", "returns", "chapter", "annotations", "labels", "text text", "tag head", "void", "htmlsnippets", "object", "object apply", "object bb", "no operation", "u003b", "n value", "pair", "long", "generics", "predicate", "vimtestsetup hi", "error import", "nontext class", "see jls", "declaration", "taggable", "binaryoperator", "i1 x", "i1 y", "string str", "taggable i1", "letters", "letters alpha", "letters beta", "tag tail", "use identity", "supplier", "tests", "identity", "comparable", "intfunction", "a dummy", "tggabl", "string s", "string tostring", "do not", "this file", "indent4", "indent2", "indent8", "tggabls", "fields", "classlock", "defines demo", "testable", "serviceloader", "malformed", "woof", "string s1", "string s2", "browns", "jumpss", "string s4", "string s6", "string apply", "string bay", "as quick", "woofs", "beta", "yieldable", "t yield", "other", "colon", "arrow", "unfoldenable", "italic", "strikethrough", "bold italic", "foobar", "modula2 pim", "test file", "colouring", "is licensed", "under the", "from system", "modula2 iso", "retain", "to do", "modula2 r10", "unsafe", "cardinal", "var abc", "variableb", "variablec", "var3", "var4", "var5", "var6", "variablea", "variabled", "variablee", "variable3", "varb", "variable1", "variable2", "varc", "vard", "variable4", "function1", "function4", "function2", "function3", "eq ne", "gt ge", "le lt", "ne gt", "ge le", "variableathis", "valsubfunc", "below", "reply", "issue", "cfoo", "ifoo", "interrupt", "ctrlc", "e123 catch", "varvalue", "cdpath", "backuptype", "defaultdevice", "executefbackup", "shall", "please wait", "buffer foo", "nargs range", "completer1 foo", "completer2 foo", "foo2", "bang", "nargs foo", "foo delcommand", "multiline", "commenttitle", "end augroup", "autocmd", "fixme call", "matched", "start not", "end not", "end call", "xterm call", "givename", "vim9", "test const", "foo def", "ex command", "dict", "end endfunction", "end enddef", "answer", "warningmsg", "endwhile", "dotest3", "dotest4", "dotest5", "dotest6", "test1", "test2", "test3", "test4", "test5", "funa", "dofuna", "funb", "dofunb", "func", "dofunc", "fund", "dofund", "foo delfunction", "foo function", "foo comment", "foo none", "guifg", "comment none", "ctermfgcyan", "end end", "end let", "end line", "end line1", "a basic", "rhs map", "foo bar", "fubar", "needle", "foogroup foo", "foogroup", "homeinclude", "defabc", "snomagicfoobar", "smagicfoobar", "special", "line comment", "b special", "char0x0044", "testcluster", "cchar", "keywords list", "vim line", "element", "x1f xf", "31 3", "u02a4 u000002a4", "string escape", "hexadecimal", "0xff echo", "decimal", "octal echo", "0377 echo", "vim shebang", "instance", "pairclasstest", "vim keymap", "end const", "expr", "foo unlet", "vim comment", "vim9 ex", "end foo", "xterm foo", "eof foo", "vim9script", "s vim9script", "12345", "0b10101010", "192939", "0777", "0o777", "0xabcdef00", "0x12345678", "runtest", "rticle", "syntax test", "file 0", "dougkearns", "2024 jun", "13 0", "test failures", "when comparing", "italicized text", "eading level", "igure", "eader", "frame", "diomatic text", "nput", "utput", "icture", "rogres", "cript", "earch", "ection", "elect", "reformat", "failure 0", "egend", "oscript", "bject", "ptgroup", "ption", "trong", "tyle", "able", "emplate", "extarea", "itle", "ource", "olgroup", "atalist", "etails", "ialog", "ieldset", "igcaption", "eleted text", "mphasis", "mbed", "side", "udio", "lockquote", "anvas", "aption", "ring at", "ideo", "cronym", "rame", "rameset", "arque", "enuitem", "rack", "narticulated an", "oframes", "trike", "ortal", "aram", "trikethrough", "highlighted", "elements have", "never be", "mage", "interface 0", "efault 0", "mport 0", "redundant", "tail", "alue", "nterface 0", "primer", "label 0", "tatic 0", "oid 0", "edundant", "identity cast", "expres", "to nest", "typeuse an", "htmlcom", "here is", "snip", "tmlsnip", "egion 0", "literal", "html com", "no entry", "point method", "code main", "return 0", "code nul", "eturn 0", "noop1", "may be", "used after", "noop2", "literalu0", "is proces", "return 8", "noop5", "nbsp", "noop6", "noop7", "link j0", "javaignorej0", "vimtestsetup s0", "fen 0", "nt 0", "majorversion", "empty string", "rotected 0", "compares this", "instance with", "the pas", "code that", "no period", "for the", "above sum", "rivate 0", "htmlsnip", "return an", "link m0", "execute", "match visual", "fen c0", "ref0", "literals", "clas", "tostring", "start 0", "ostring 0", "replace 0", "ubstring 0", "noop8", "noop9", "markdowncom", "arkdownsnip", "markdown com", "code public", "the method", "must be", "declared", "code 0", "the major", "java version", "used with", "inal 0", "markdownsnip", "blanks and", "re 0", "static void", "param a0", "rgs 0", "optional c0", "arguments 0", "invoke", "nontext 0", "hrow 0", "ew 0", "object module", "object open", "exports opens", "requires", "bject 0", "eplacement 0", "ar 0", "opens", "object opens", "object provides", "object requires", "object to", "uses", "xtends 0", "mplements 0", "ealed 0", "ermits 0", "bstract 0", "c1 i0", "noop3", "noop4", "a sum", "foldingtests", "static", "object b", "escapestests", "static final", "string hel", "har 0", "0ffffff0", "1200", "1210", "1230", "1240", "1250", "1260", "1270", "1300", "1310", "2040", "3240", "0100", "0120", "0130", "0140", "0150", "0160", "0170", "0200", "0210", "0230", "biginteger", "t1 x", "uper 0", "e element", "radix", "ecord 0", "tatic", "t dum", "isempty", "ublic 0", "ase 0", "ong 0", "witch 0", "genericstests", "todo 0", "3400", "3410", "3420", "3430", "3450", "3460", "3470", "3500", "3510", "3520", "sempty", "opal", "opsome", "ushal", "ushsome", "adix", "romdecimal", "lambdaexpres", "leftconst07", "leftconst08", "leftconst09", "i1 0", "leftconst10", "leftconst1", "leftconst01", "leftconst02", "leftconst03", "leftconst04", "leftconst05", "leftconst06", "leftconst", "const1", "const2", "witch", "hen 0", "alpha w0", "beta w0", "equals", "leftconst12", "typearguments", "identifier 0", "nteger", "ashcode", "omparable", "ry 0", "atch 0", "unction", "tring", "length", "ntfunction", "intsup", "clone", "naryoperator", "alueof", "quals", "redicate", "equalist", "gymnastics for", "ipredicate", "superequalist", "ethodhandle", "invokepredicate", "methodhandle mh", "throwable th", "a dum", "b dum", "t extends", "stringer", "ostring", "ntvalue", "onsumer", "println", "uperequalist", "nvokepredicate", "ethodhandle mh", "remember", "num 0", "asci", "stylable", "t e0", "tringer", "ative 0", "ynchronized 0", "trictfp 0", "thread", "qualist", "ransient 0", "methodstests", "string t0", "la s", "string name", "equires 0", "odule 0", "this module", "to the", "sample project", "published at", "mport m0", "related sup", "ransitive 0", "xports 0", "pens 0", "jdk 23", "ses 0", "rovides 0", "ith 0", "doautocmd", "syntax 0", "0xp0", "ouble 0", "minusoned", "xap1", "doto", "numberstests", "ouble", "loat 0", "maxdecf", "maxhexf", "mindecf", "minhexfa", "minhexfb", "maxdecd", "maxhexd", "minhex", "minoct", "minbin", "minusonehex", "minusoneoct", "minusonebin", "maxhexl", "maxoctl", "minusonehexl", "minusoneoctl", "minusonebinl", "jdk 21", "object o", "rue 0", "alse 0", "stringtests", "a quick", "brown fox", "jumps over", "the lazy", "there are", "lf after", "jumps0", "ver the0", "a nested", "string ap", "brown", "jumps", "over the", "nested com", "switchtests", "ield", "a or", "ield 0", "yte 0", "1let", "hort", "hort 0", "nofoldenable 0", "0000 0", "unfoldingtests", "reak 0", "old italic", "s1024", "talic", "inheritdoc", "object ap", "hile 0", "for vim", "file is", "licensed under", "the vim", "license 0", "efinition 0", "rom 0", "predefined", "ype 0", "ointer 0", "il 0", "nter", "ninter", "octal", "pragmas", "with emphasis", "opyright 0", "uthor 0", "fred flintstone", "icense 0", "baz bam", "ispose 0", "oc 0", "ord 0", "dr 0", "ast 0", "size 0", "rocedure 0", "egin 0", "nd 0", "ixme 0", "eprecated 0", "procedures", "ewfo", "nteger 0", "disabled", "hile fo", "do 0", "while", "synonyms", "itset 0", "roc 0", "roces", "ewproces", "ransfer 0", "ystem 0", "ongcard 0", "bozo bim", "dada jingle", "etbar", "lias 0", "defined pragmas", "numeric", "xcafed0", "inline", "noinline", "implementation", "cho 0", "this for", "done", "is a", "very handy", "solution and", "no real", "replacement", "available", "unction1", "a text", "shel", "his is", "home 0", "ariable10", "this is", "with a", "nset 0", "962 0", "f true", "unab", "abclear 0", "bclear 0", "java module", "changefilename", "restorefilename", "todo highlight", "author", "antonio colombo", "delete", "processing", "hebrew", "complete", "separate", "usercomplete", "matchitem", "cargo", "utility call", "trim trailing", "nvim", "linenr", "newcolumn", "columnnr", "wordregex", "gnat", "atomic", "timeslice", "structmembers", "nextitem", "col2", "typename", "typeref", "mpkeywords", "ctxkeywords", "binarysearch", "contextcmd", "omnisyntaxlist", "vim completion", "alex vear", "sung pae", "clojure version", "emptynode", "unitname", "setsession", "dec ada", "switchsession", "zat line", "vim adadec", "synidattr", "strridx", "auto", "nfz62010", "mdn css", "mask", "mnem", "setprojectfile", "pretty", "project file", "bufreadpost", "vim autoload", "decho", "dret", "getonescript", "e486", "dredir", "buffer test", "beginning", "prevnonblank", "getline", "xhtml", "dot pl", "doctype", "completetags", "harepath", "finddir", "attempt", "hare module", "java", "strive to", "for at", "least vim", "e121", "dialect", "setdialect", "hide", "bruno sutic", "blur", "accesskey", "onblur", "onfocus", "select", "tosource", "anchor", "cookie", "iframe", "checkbox", "codebase", "infinity", "foreign", "dorec", "lexer", "panic", "netrw", "charles e", "win9x", "dfunc", "systemroot", "nfhhtml", "nfhhtm", "nfhjpg", "toolbar menu", "synstack", "indent", "quote handling", "extraoemake", "hostcc", "buildcc", "buildcflags", "buildldflags", "freebasic", "precedence", "searchbracket", "plnum", "shiftwidth", "extrafunc", "python task", "parlnum", "commenttodo", "omni completion", "xml directory", "scope", "abbr", "fixed", "findmatch", "matchmax", "findbracket", "lispword", "isforfold", "inherestring", "nulldict", "column", "rstfoldcache", "cacherstfold", "rstfold", "antony lee", "helper", "getcurpos", "endfunction", "getpos", "shelltokenize", "withpath", "fnamemodify", "jump", "warningmsg echo", "emit", "play", "defpython", "rustfmtcommand", "runrustfmt", "detectversion", "split", "getconfigvar", "stephen sugden", "stephen", "save rustfmt", "vrustfmt", "nread", "loadfile", "getdirchoices", "yesn", "winbufnr", "vimspell", "bufwinnr", "index", "sqlcwarningmsg", "sqlcgetcolumns", "sqlcerrormsg", "compltype", "omni", "allow user", "synlist", "problem", "snum", "lnum", "isinclassdef", "isposinclassdef", "getrubyvartype", "getoption", "tohtml", "diff2html", "jumptoline", "mime charset", "latin1", "typst", "echoerr", "echomsg", "typeset", "echowarn", "getrunningjobs", "tex root", "addjob", "removejob", "showmesg", "chgdir", "vimball", "decompress", "vimballhome", "mkvimball", "restoresettings", "mkdir", "item", "emptystackp", "getlastopentag", "vimxmlattrinfo", "vimxmltaginfo", "tagstack", "istag", "endtag", "decreaseindent", "textwidth", "emptytag", "starttag", "browse", "setsaneopts", "restoreopts", "extract", "adacore", "cmdpre", "makeprg", "cargo file", "cmdpost", "basefont", "samp", "cite", "applet", "input", "middle", "acronym", "button", "gamma", "theta", "omega", "apos", "cong", "legend", "annotation", "attributegroup", "choice", "selector", "field", "choose", "foreach", "sort", "param", "stripspace", "all rights", "apple system", "tmpdir", "containerdir", "supportawdd", "supportbtserver", "apple", "rights", "file system", "fontd", "bookmark", "securityscope", "directory", "utility", "regularfile", "packagekit", "darwincachedir", "store database", "allow", "security", "reboot", "os x", "homedir", "realhomedir", "usersbasedir", "usercachedir", "audio", "callkit", "datacloudkit", "workaround", "rdar", "ckassets", "mmcs", "anyuuid", "caches", "allow fsctl", "fontvalidator", "frameworks", "coreservices", "carbon", "lsarpc", "dssetup sandbox", "squash", "readonly", "deny write", "issue sandbox", "network stack", "services lookup", "readwrite file", "system keychain", "wkssvc sandbox", "brlm", "byte range", "lock manager", "allow smbd", "allow wsp", "allow launchd", "netfsserver", "allow file", "sandbox profile", "ipv4", "ipv6", "netcore", "afsystem", "sysprotocontrol", "edge cache", "video", "allow access", "sandbox", "pkrecipt", "cachedir", "cmds", "applesmcclient", "smt isolation", "verw", "tempdir", "byhost", "sigkill", "sysmacsyscall", "sysaccess", "sysclose", "syscsrctl", "sysfchmod", "sysfsetxattr", "sysfsgetpath", "sysfstat64", "sysfstatat64", "darwintempdir", "reserve", "parampath", "mailv2", "mail importer", "allow mail", "library", "appcontainer", "document being", "quick look", "manage", "carbon noise", "make sure", "opengl", "plugin", "movie", "safari", "unix domain", "uuid cache", "redistribution", "is provided", "direct", "cfnetwork", "satellite", "files access", "daemon", "webdav file", "sharing", "sysgethostuuid", "gr ucs", "freebsd", "netbsd", "ucs gb2312", "cp932vdc", "ucs cp932vdc", "gb2312", "gbk ucs", "gb18030 ucs", "gb18030", "cpucs", "grucs", "appleucs", "gr mapperzone", "iso8859ucs", "big5ucs", "jisucs", "cnsucs", "appleinternal", "applications", "volumes", "gregory mcgarry", "coff dsp21k", "risc os", "programmer", "appendix e", "packdir", "git pack", "acorn", "chunk file", "from risc", "os programmer", "corrupted", "infocom", "david griffith", "glulx", "text adventure", "game", "adventure game", "allen garvin", "dave chapeskie", "aes crypt", "encrypted data", "joerg jenderek", "createdby", "createdby b", "windows gui", "alliant", "alliant fx", "fx series", "allegro", "toby deshane", "algol", "4 string", "bmode", "proc", "defmens vendors", "procedure b", "bref", "bflex", "bsdos", "bsdi", "unix32v", "sunos", "again", "hive rc", "sequence", "avro", "parquet", "apache hadoop", "apache big", "obj apache", "orc apache", "par1 apache", "pitentry", "android vdex", "android backup", "0 dalvik", "android bootimg", "password salt", "hidden", "loki", "apl workspace", "module sound", "density", "amigaos", "postma", "soundmon module", "trid", "amiga disk", "dos disk", "application", "mpeg v4", "dmb maf", "ycbcr", "cmaf media", "monaural", "heif image", "apple quicktime", "mike", "codec", "live", "applixware", "peter soos", "words words", "raster bitmap", "macro macro", "builder builder", "mac os", "ii image", "disk image", "blocks", "apple dos", "appleworks word", "spreadsheet", "sweet", "bernie", "rescue", "corrupt", "bobo", "amanda", "tapestart date", "file dump", "arm coff", "aarch64", "arm thumb", "armv7 thumb", "apt cache", "second", "bits per", "image width", "per meter", "asfdataobject", "time offset", "data length", "colors", "040t", "asterx", "guy harris", "word words", "grap graphic", "macr macro", "asterx version", "words document", "graphic", "coff", "we32000 coff", "mau hardware", "sccs", "we32k", "bbxpro5files", "oliver dammer", "dammer", "beetle vm", "beetle", "cable", "box router", "fritz", "box fritz", "password b", "oem b", "language b", "thu jun", "x tap", "sender", "x5fx81x44", "batch", "notification", "georg sauthoff", "gsma", "gsm association", "cdrs", "bflt", "philippe de", "muyter", "blockhashloc", "marco pontello", "sam alignment", "bgzf", "samtools", "binary call", "binary sequence", "fasta", "iupac", "blocked gnu", "patchmaster", "binary format", "alois schloegl", "medica soft", "axgr biosigaxg", "biosigaxg", "ircam file", "adpcm", "david korth", "song", "atari st", "ache", "david", "bonk", "insane", "pokey", "otto", "zbot", "blcr", "uncomment", "vma06", "kernel", "berkeley lab", "c000r000 blcr", "sparc", "armeb", "sparc64", "blender", "native format", "glob chunk", "blender3d", "scripts", "bpy blender3d", "bpython script", "blackberry file", "blackberry rim", "etp file", "0x10", "greg roelofs", "gnu tar", "ascii null", "compress", "0x04", "openoffice", "freeze", "archiver", "designer", "spark", "hpack", "oblivion", "zpack", "blink", "npack", "xpack", "blit mpxmux", "blit", "vaxorder", "blit stuff", "ttcomp", "ttcomp archive", "need", "we32 dmd", "birtual machine", "oses", "sparc demand", "4096", "sparc pure", "chiasmus", "federal", "office", "bundesamt", "sicherheit", "xia1r chiasmus", "xis chiasmus", "btsnoop", "hci uart", "hci bcsp", "hci serial", "mikhail gusarov", "dottedmag", "nekovm", "neko nekovm", "resilient logic", "guile file", "goof", "le b", "be b", "cbor", "concise binary", "raw tape", "cbm basic", "dirk jagdmann", "d64 image", "d71 image", "d81 image", "c64 emultar", "cartridge image", "c source", "bcpl source", "bcpl", "libhdr", "java se", "java bytecode", "macho", "java class", "cpu type", "cafe babes", "java start", "x version", "tablature file", "chord music", "file format", "chord text", "powertab", "jelmer vernooij", "jelmer", "powertab v3", "runect citrus", "lcctype", "ctrsme citrus", "ctrsmo citrus", "lcmonetary", "ctrsnu citrus", "lcnumeric", "ctrsti citrus", "lctime", "cddb", "cd player", "developer", "julien blache", "database", "keyindex", "help", "systems", "microcode", "netbsdalpha", "ios microcode", "kompas", "vrml", "xml document", "reserved", "applicationtype", "autocad dwg", "schema", "scanline", "alliance", "claris", "claris clip", "377377377377001", "claris works", "c1 r1", "c2 r1", "c3 r1", "intergraph", "clipper coff", "fairchild", "clipper use", "hitachi sh", "common object", "coff intel", "intel", "files format", "djgpp", "clojure script", "clojure", "jason felice", "clojure module", "convex", "convex soff", "convex storage", "convexes", "added", "core file", "third", "idc file", "suiteid", "chart", "debacle", "ttcn", "tree", "notation", "suite ttcn", "abstract test", "suite", "boseos", "snmperrnoerror", "commitrow", "readcreate", "retlen", "writecreate", "mydata", "putindexdata", "snmpsetvarvalue", "checkfnslocal", "not be", "note note", "decides", "snmp error", "requestvb", "asnoctetstr", "asnobjectid", "logerr", "undoinfo", "rcsfile", "end code", "debugmsgtl", "initialize", "allowcreation", "adding", "oidlength", "handler", "snmperrgenerr", "colnum", "break", "current", "snmp", "dodescr", "nodeinfo", "calldefine", "doformatedtext", "startperl", "perleval", "mib type", "oids", "const", "register", "asn type", "rorw status", "generating code", "mib tree", "netsnmp style", "getnext", "mib table", "tabledata", "container", "mibs", "print", "please specify", "send", "memcpy", "rscreateandgo", "writemethod", "findvarmethod", "variablesoid", "substr", "varlen", "sprintmaxlen", "datacontext", "mode", "freeundoinfo", "reallyreally", "initializingn", "handlercanronly", "netsnmp", "emitindexvars", "enddefine", "emitgetargs", "emitloaddata", "emitindexinfo", "output skeleton", "loader", "Aishah Siti Lazim", "194 Green Street" ], "references": [ "vimrc", "bugreport.vim", "evim.vim", "delmenu.vim", "defaults.vim", "ftplugof.vim", "ftoff.vim", "gvim.desktop", "ftplugin.vim", "gvimrc_example.vim", "indent.vim", "indoff.vim", "mswin.vim", "scripts.vim", "optwin.vim", "vim.desktop", "menu.vim", "vimrc_example.vim", "synmenu.vim", "filetype.vim", "Make_mvc.mak", "Make_all.mak", "README.ru.utf-8.txt", "README.txt", "tutor", "tutor.bar.utf-8", "tutor.ca.utf-8", "tutor.bg.utf-8", "tutor.cs.utf-8", "tutor.da.utf-8", "tutor.de.utf-8", "tutor.el.utf-8", "tutor.eo.utf-8", "tutor.es.utf-8", "tutor.fr.utf-8", "tutor.hr.utf-8", "tutor.ja.utf-8", "tutor.hu.utf-8", "tutor.it.utf-8", "tutor.ko", "tutor.ko.utf-8", "tutor.lt.utf-8", "tutor.lv.utf-8", "tutor.nb.utf-8", "tutor.nl.utf-8", "tutor.no.utf-8", "tutor.pt.utf-8", "tutor.pl.utf-8", "tutor.ru.utf-8", "tutor.tr.utf-8", "tutor.sr.utf-8", "tutor.sv.utf-8", "tutor.sk.utf-8", "tutor.vim", "tutor.zh_cn.utf-8", "tutor.utf-8", "tutor.vi.utf-8", "tutor.uk.utf-8", "tutor.zh_tw.utf-8", "tutor.zh.utf-8", "vimspell.txt", "xcmdsrv_client.c", "ref", "vim132", "vimm", "vim_vs_net.cmd", "shtags.1", "unicode.vim", "shtags.pl", "ccfilter_README.txt", "blink.c", "efm_filter.txt", "demoserver.py", "ccfilter.c", "efm_filter.pl", "ccfilter.1", "efm_perl.pl", "pltags.pl", "mve.txt", "emoji_list.vim", "mve.awk", "a65.vim", "aap.vim", "abap.vim", "abc.vim", "abel.vim", "abaqus.vim", "acedb.vim", "a2ps.vim", "ada.vim", "ahdl.vim", "8th.vim", "aflex.vim", "aidl.vim", "2html.vim", "alsaconf.vim", "amiga.vim", "ampl.vim", "antlr4.vim", "apachestyle.vim", "apache.vim", "antlr.vim", "ant.vim", "aml.vim", "arch.vim", "aptconf.vim", "arduino.vim", "art.vim", "asm.vim", "asciidoc.vim", "asn.vim", "aspperl.vim", "asm68k.vim", "aspvbs.vim", "asteriskvm.vim", "atlas.vim", "asy.vim", "autodoc.vim", "autohotkey.vim", "autoit.vim", "automake.vim", "ave.vim", "asmh8300.vim", "avra.vim", "awk.vim", "astro.vim", "ayacc.vim", "asterisk.vim", "bash.vim", "b.vim", "bdf.vim", "bib.vim", "basic.vim", "bindzone.vim", "bc.vim", "blank.vim", "bitbake.vim", "bsdl.vim", "bst.vim", "bzl.vim", "btm.vim", "bzr.vim", "baan.vim", "cabal.vim", "cabalconfig.vim", "cabalproject.vim", "c.vim", "catalog.vim", "cdl.vim", "cdrdaoconf.vim", "cfg.vim", "cgdbrc.vim", "cf.vim", "cdrtoc.vim", "ch.vim", "chaiscript.vim", "change.vim", "chaskell.vim", "changelog.vim", "chatito.vim", "cheetah.vim", "chicken.vim", "chordpro.vim", "chill.vim", "calendar.vim", "chuck.vim", "clean.vim", "clipper.vim", "cmakecache.vim", "cl.vim", "cmod.vim", "cmusrc.vim", "coco.vim", "colortest.vim", "clojure.vim", "conf.vim", "config.vim", "confini.vim", "conaryrecipe.vim", "crm.vim", "cmake.vim", "crontab.vim", "cpp.vim", "context.vim", "csc.vim", "csh.vim", "cs.vim", "csp.vim", "csv.vim", "cterm.vim", "csdl.vim", "cobol.vim", "ctrlh.vim", "css.vim", "cuda.vim", "cuplsim.vim", "cvs.vim", "cweb.vim", "cvsrc.vim", "cucumber.vim", "cupl.vim", "cynpp.vim", "cynlib.vim", "deb822sources.vim", "dcd.vim", "d.vim", "dcl.vim", "dart.vim", "debchangelog.vim", "debcontrol.vim", "datascript.vim", "debcopyright.vim", "def.vim", "dep3patch.vim", "denyhosts.vim", "debsources.vim", "desc.vim", "dictconf.vim", "dictdconf.vim", "diff.vim", "dircolors.vim", "dirpager.vim", "diva.vim", "desktop.vim", "django.vim", "dns.vim", "docbksgml.vim", "docbkxml.vim", "docbk.vim", "dockerfile.vim", "dosbatch.vim", "dosini.vim", "dot.vim", "dracula.vim", "dsl.vim", "dtml.vim", "doxygen.vim", "dts.vim", "dtrace.vim", "dtd.vim", "dune.vim", "dylanintr.vim", "dylanlid.vim", "dylan.vim", "dnsmasq.vim", "editorconfig.vim", "edif.vim", "ecd.vim", "elmfilt.vim", "elf.vim", "elinks.vim", "eiffel.vim", "elm.vim", "erlang.vim", "esmtprc.vim", "esqlc.vim", "esterel.vim", "euphoria3.vim", "eterm.vim", "eruby.vim", "euphoria4.vim", "exim.vim", "expect.vim", "exports.vim", "eviews.vim", "fasm.vim", "fdcc.vim", "falcon.vim", "fan.vim", "fetchmail.vim", "fgl.vim", "fish.vim", "flexwiki.vim", "focexec.vim", "fpcmake.vim", "forth.vim", "form.vim", "framescript.vim", "foxpro.vim", "fortran.vim", "freebasic.vim", "fvwm2m4.vim", "fstab.vim", "fvwm.vim", "gdmo.vim", "gdresource.vim", "gdb.vim", "gemtext.vim", "gdshader.vim", "git.vim", "gift.vim", "gedcom.vim", "gdscript.vim", "gitattributes.vim", "gitcommit.vim", "gitconfig.vim", "gitignore.vim", "gitolite.vim", "gitrebase.vim", "gitsendemail.vim", "gkrellmrc.vim", "goaccess.vim", "glsl.vim", "godoc.vim", "go.vim", "gnuplot.vim", "gp.vim", "gpg.vim", "gprof.vim", "gretl.vim", "grads.vim", "gnash.vim", "groff.vim", "grub.vim", "groovy.vim", "gtkrc.vim", "group.vim", "gyp.vim", "gsp.vim", "gvpr.vim", "update_date.vim", "README.md", "gen_syntax_vim.vim", "vim.vim.base", "haml.vim", "hamster.vim", "hare.vim", "haredoc.vim", "haste.vim", "haskell.vim", "hastepreproc.vim", "hb.vim", "hcl.vim", "help_ru.vim", "hex.vim", "help.vim", "hercules.vim", "hgcommit.vim", "hitest.vim", "hlsplaylist.vim", "hog.vim", "hostsaccess.vim", "hostconf.vim", "htmlcheetah.vim", "htmlangular.vim", "html.vim", "htmlm4.vim", "htmlos.vim", "htmldjango.vim", "i3config.vim", "ia64.vim", "ibasic.vim", "icemenu.vim", "idlang.vim", "idl.vim", "icon.vim", "initex.vim", "initng.vim", "ipfilter.vim", "inittab.vim", "inform.vim", "j.vim", "iss.vim", "ishd.vim", "jal.vim", "ist.vim", "jam.vim", "jargon.vim", "javascript.vim", "javascriptreact.vim", "java.vim", "jinja.vim", "jess.vim", "jgraph.vim", "javacc.vim", "jq.vim", "jsp.vim", "json.vim", "jsonc.vim", "json5.vim", "kconfig.vim", "julia.vim", "kdl.vim", "kotlin.vim", "kix.vim", "kwt.vim", "krl.vim", "kscript.vim", "kivy.vim", "lace.vim", "latte.vim", "lc.vim", "ld.vim", "ldapconf.vim", "iso.vim", "pim.vim", "r10.vim", "ldif.vim", "less.vim", "lftp.vim", "lhaskell.vim", "libao.vim", "lex.vim", "lifelines.vim", "liquid.vim", "limits.vim", "lilo.vim", "lite.vim", "livebook.vim", "lisp.vim", "litestep.vim", "lotos.vim", "loginaccess.vim", "logtalk.vim", "logindefs.vim", "lout.vim", "lprolog.vim", "lpc.vim", "lsl.vim", "lscript.vim", "lss.vim", "luau.vim", "lua.vim", "lynx.vim", "lyrics.vim", "m3quake.vim", "m3build.vim", "m4.vim", "mailaliases.vim", "mail.vim", "mailcap.vim", "mallard.vim", "make.vim", "manual.vim", "manconf.vim", "mason.vim", "masm.vim", "maple.vim", "master.vim", "matlab.vim", "maxima.vim", "mermaid.vim", "meson.vim", "mediawiki.vim", "messages.vim", "mel.vim", "man.vim", "markdown.vim", "mf.vim", "mgp.vim", "mgl.vim", "mib.vim", "mix.vim", "mmix.vim", "mmp.vim", "modconf.vim", "model.vim", "mma.vim", "modula2.vim", "modula3.vim", "moo.vim", "mojo.vim", "monk.vim", "mp.vim", "mplayerconf.vim", "mrxvtrc.vim", "msmessages.vim", "msidl.vim", "msql.vim", "modsim3.vim", "murphi.vim", "mush.vim", "mupad.vim", "muttrc.vim", "mysql.vim", "named.vim", "nanorc.vim", "nastran.vim", "n1ql.vim", "natural.vim", "nasm.vim", "ncf.vim", "netrc.vim", "netrw.vim", "ninja.vim", "nix.vim", "nosyntax.vim", "nroff.vim", "neomuttrc.vim", "nsis.vim", "nqc.vim", "nginx.vim", "obj.vim", "objcpp.vim", "odin.vim", "occam.vim", "omnimark.vim", "ocaml.vim", "ondir.vim", "objc.vim", "openscad.vim", "openroad.vim", "opl.vim", "openvpn.vim", "obse.vim", "opam.vim", "pamenv.vim", "pacmanlog.vim", "ora.vim", "pamconf.vim", "pandoc.vim", "papp.vim", "pcap.vim", "pbtxt.vim", "pascal.vim", "passwd.vim", "pccts.vim", "pf.vim", "phtml.vim", "perl.vim", "pic.vim", "pdf.vim", "pilrc.vim", "pfmain.vim", "pike.vim", "pine.vim", "pinfo.vim", "plaintex.vim", "php.vim", "plm.vim", "plp.vim", "pli.vim", "pod.vim", "poefilter.vim", "po.vim", "ppd.vim", "pov.vim", "povini.vim", "ppwiz.vim", "plsql.vim", "prescribe.vim", "procmail.vim", "privoxy.vim", "prolog.vim", "promela.vim", "postscr.vim", "protocols.vim", "proto.vim", "psf.vim", "psl.vim", "ps1.vim", "purifylog.vim", "ptcap.vim", "pymanifest.vim", "pyrex.vim", "progress.vim", "python.vim", "python2.vim", "quarto.vim", "qf.vim", "quake.vim", "qb64.vim", "r.vim", "qml.vim", "radiance.vim", "racc.vim", "racket.vim", "raml.vim", "rasi.vim", "rc.vim", "ratpoison.vim", "rapid.vim", "raku.vim", "rcslog.vim", "rcs.vim", "rebol.vim", "readline.vim", "registry.vim", "rego.vim", "remind.vim", "requirements.vim", "reva.vim", "resolv.vim", "rhelp.vim", "rexx.vim", "rnc.vim", "rng.vim", "rnoweb.vim", "rib.vim", "redif.vim", "rrst.vim", "rpcgen.vim", "routeros.vim", "rpl.vim", "rmd.vim", "rtf.vim", "rst.vim", "salt.vim", "robots.vim", "samba.vim", "ruby.vim", "sas.vim", "sass.vim", "rust.vim", "sbt.vim", "scdoc.vim", "sather.vim", "scilab.vim", "scala.vim", "scheme.vim", "screen.vim", "scss.vim", "sd.vim", "sdc.vim", "sdl.vim", "sensors.vim", "sed.vim", "services.vim", "sendpr.vim", "setserial.vim", "sexplib.vim", "sgmldecl.vim", "sgmllnx.vim", "sh.vim", "sgml.vim", "context-data-metafun.vim", "context-data-tex.vim", "hgcommitDiff.vim", "context-data-context.vim", "context-data-interfaces.vim", "debversions.vim", "typescriptcommon.vim", "sicad.vim", "sil.vim", "simula.vim", "sinda.vim", "sindacmp.vim", "sindaout.vim", "sieve.vim", "skill.vim", "sl.vim", "sisu.vim", "slang.vim", "slpconf.vim", "slpreg.vim", "slpspi.vim", "slrnsc.vim", "sm.vim", "smarty.vim", "slice.vim", "smcl.vim", "smith.vim", "smil.vim", "sml.vim", "snnsnet.vim", "snnspat.vim", "slrnrc.vim", "snobol4.vim", "solidity.vim", "spice.vim", "splint.vim", "spec.vim", "specman.vim", "spyce.vim", "spup.vim", "snnsres.vim", "sql.vim", "sqlforms.vim", "sqlj.vim", "sqlhana.vim", "sqlinformix.vim", "sqlanywhere.vim", "sqloracle.vim", "srec.vim", "sqr.vim", "squirrel.vim", "squid.vim", "srt.vim", "ssa.vim", "st.vim", "sshconfig.vim", "sshdconfig.vim", "stp.vim", "stata.vim", "strace.vim", "structurizr.vim", "stylus.vim", "sudoers.vim", "swift.vim", "swig.vim", "swiftgyb.vim", "swayconfig.vim", "syncolor.vim", "svn.vim", "synload.vim", "sysctl.vim", "systemverilog.vim", "tads.vim", "tags.vim", "tak.vim", "takcmp.vim", "takout.vim", "tar.vim", "taskdata.vim", "taskedit.vim", "tap.vim", "tasm.vim", "svg.vim", "syntax.vim", "template.vim", "tcsh.vim", "teraterm.vim", "terminfo.vim", "terraform.vim", "systemd.vim", "tcl.vim", "tssgm.vim", "typescript.vim", "tsv.vim", "tt2js.vim", "tssop.vim", "typescriptreact.vim", "tt2.vim", "tt2html.vim", "uc.vim", "uci.vim", "typst.vim", "udevconf.vim", "udevperm.vim", "uil.vim", "unison.vim", "updatedb.vim", "upstart.vim", "upstreamdat.vim", "upstreaminstalllog.vim", "upstreamlog.vim", "upstreamrpt.vim", "usw2kagtlog.vim", "urlshortcut.vim", "udevrules.vim", "valgrind.vim", "vdf.vim", "vb.vim", "verilogams.vim", "vera.vim", "vhdl.vim", "viminfo.vim", "verilog.vim", "voscm.vim", "vmasm.vim", "virata.vim", "vim.vim", "vrml.vim", "vgrindefs.vim", "usserverlog.vim", "c.c", "html.html", "java_comments_markdown.java", "java_annotations_signature.java", "java_comments.java", "java_enfoldment.java", "java_escapes.java", "java_generics_signature.java", "java_generics.java", "java_contextual_keywords.java", "java_lambda_expressions_signature.java", "java_annotations.java", "java_lambda_expressions.java", "java_method_references_signature.java", "java_methods_indent4.java", "java_methods_indent2.java", "java_methods_indent4_signature.java", "java_methods_indent2_signature.java", "java_methods_indent8_signature.java", "java_methods_style.java", "java_module_info.java", "java_methods_style_signature.java", "java_numbers.java", "java_previews_430.java", "java_string.java", "java_previews_455.java", "java_switch.java", "java_methods_indent8.java", "java_unfoldment.java", "markdown_conceal.markdown", "modula2_pim.def", "modula2_iso.def", "modula2_r10.def", "progress_comments.p", "sh_02.sh", "sh_01.sh", "sh_04.sh", "sh_03.sh", "sh_05.sh", "sh_07.sh", "sh_09.sh", "sh_08.sh", "sh_10.sh", "sh_11.sh", "vim_ex_abbreviate.vim", "vim_ex_behave.vim", "vim_ex_call.vim", "vim_ex_catch.vim", "sh_06.sh", "vim_ex_command.vim", "vim_ex_comment_strings.vim", "vim_ex_comment-vim9.vim", "vim_ex_comment.vim", "vim_ex_augroup.vim", "vim_ex_commands.vim", "vim_ex_def_nested.vim", "vim_ex_def_nested_fold.vim", "vim_ex_def_fold.vim", "vim_ex_def.vim", "vim_ex_echo.vim", "vim_ex_execute.vim", "vim_ex_function_def_tail_comment_errors.vim", "vim_ex_function_def_tail_comments.vim", "vim_ex_function_nested_fold.vim", "vim_ex_function_nested.vim", "vim_ex_function_fold.vim", "vim_ex_highlight.vim", "vim_ex_let_heredoc.vim", "vim_ex_loadkeymap_after_bar.vim", "vim_ex_loadkeymap_after_colon.vim", "vim_ex_map.vim", "vim_ex_function.vim", "vim_ex_menu.vim", "vim_ex_menutranslate.vim", "vim_ex_no_comment_strings.vim", "vim_ex_match.vim", "vim_ex_range.vim", "vim_ex_set.vim", "vim_ex_sleep.vim", "vim_ex_substitute.vim", "vim_ex_throw.vim", "vim_keymap.vim", "vim_ex_syntax.vim", "vim_key_notation.vim", "vim_line_continuation.vim", "vim_expr.vim", "vim_new.vim", "vim_shebang.vim", "vim_object_methods.vim", "vim_variables.vim", "vim9_ex_comment_strings.vim", "vim9_ex_commands.vim", "vim9_ex_no_comment_strings.vim", "vim9_ex_function_def_tail_comments.vim", "vim9_expr.vim", "vim9_keymap.vim", "vim9_ex_function_def_tail_comment_errors.vim", "vim9_legacy_header_fold.vim", "vim9_legacy_header.vim", "vim9_shebang.vim", "yaml.yaml", "dots_03", "dots_05", "dots_02", "dots_04", "dots_01", "dots_06", "dots_08", "dots_09", "dots_10", "dots_07", "dots_11", "dots_12", "dots_14", "dots_13", "dots_15", "dots_16", "dots_17", "dots_18", "dots_19", "dots_20", "html_00.dump", "html_03.dump", "html_05.dump", "html_04.dump", "html_06.dump", "html_02.dump", "html_01.dump", "html_07.dump", "html_08.dump", "java_annotations_01.dump", "java_annotations_00.dump", "java_annotations_02.dump", "java_annotations_03.dump", "java_annotations_04.dump", "java_annotations_signature_00.dump", "java_annotations_signature_02.dump", "java_annotations_signature_01.dump", "java_annotations_signature_03.dump", "java_annotations_signature_04.dump", "java_comments_html_01.dump", "java_comments_html_02.dump", "java_comments_html_03.dump", "java_comments_html_00.dump", "java_comments_html_04.dump", "java_comments_html_05.dump", "java_comments_markdown_00.dump", "java_comments_html_07.dump", "java_comments_markdown_03.dump", "java_comments_markdown_01.dump", "java_comments_html_06.dump", "java_comments_markdown_04.dump", "java_comments_markdown_02.dump", "java_comments_markdown_05.dump", "java_comments_markdown_06.dump", "java_comments_markdown_07.dump", "java_contextual_keywords_00.dump", "java_comments_markdown_08.dump", "java_contextual_keywords_01.dump", "java_contextual_keywords_02.dump", "java_enfoldment_01.dump", "java_contextual_keywords_03.dump", "java_enfoldment_00.dump", "java_enfoldment_02.dump", "java_escapes_00.dump", "java_escapes_01.dump", "java_escapes_03.dump", "java_escapes_05.dump", "java_escapes_07.dump", "java_escapes_02.dump", "java_escapes_06.dump", "java_generics_01.dump", "java_generics_03.dump", "java_generics_02.dump", "java_generics_04.dump", "java_generics_05.dump", "java_generics_07.dump", "java_generics_00.dump", "java_generics_06.dump", "java_escapes_04.dump", "java_generics_signature_00.dump", "java_generics_signature_01.dump", "java_generics_signature_02.dump", "java_generics_signature_03.dump", "java_generics_signature_04.dump", "java_generics_signature_05.dump", "java_generics_signature_07.dump", "java_generics_signature_06.dump", "java_lambda_expressions_00.dump", "java_lambda_expressions_01.dump", "java_lambda_expressions_03.dump", "java_lambda_expressions_02.dump", "java_lambda_expressions_04.dump", "java_lambda_expressions_05.dump", "java_lambda_expressions_06.dump", "java_lambda_expressions_07.dump", "java_lambda_expressions_08.dump", "java_lambda_expressions_signature_00.dump", "java_lambda_expressions_signature_01.dump", "java_lambda_expressions_signature_02.dump", "java_lambda_expressions_signature_03.dump", "java_lambda_expressions_signature_04.dump", "java_lambda_expressions_signature_05.dump", "java_lambda_expressions_signature_06.dump", "java_lambda_expressions_signature_07.dump", "java_lambda_expressions_signature_08.dump", "java_method_references_00.dump", "java_method_references_01.dump", "java_method_references_03.dump", "java_method_references_04.dump", "java_method_references_06.dump", "java_method_references_05.dump", "java_method_references_07.dump", "java_method_references_08.dump", "java_method_references_09.dump", "java_method_references_10.dump", "java_method_references_signature_00.dump", "java_method_references_signature_01.dump", "java_method_references_02.dump", "java_method_references_signature_02.dump", "java_method_references_signature_03.dump", "java_method_references_signature_04.dump", "java_method_references_signature_05.dump", "java_method_references_signature_07.dump", "java_method_references_signature_08.dump", "java_method_references_signature_09.dump", "java_methods_indent2_00.dump", "java_methods_indent2_00.vim", "java_methods_indent2_01.dump", "java_methods_indent2_01.vim", "java_methods_indent2_02.dump", "java_methods_indent2_02.vim", "java_method_references_signature_10.dump", "java_methods_indent2_03.vim", "java_methods_indent2_03.dump", "java_methods_indent2_04.dump", "java_methods_indent2_04.vim", "java_methods_indent2_05.dump", "java_methods_indent2_05.vim", "java_method_references_signature_06.dump", "java_methods_indent2_signature_00.vim", "java_methods_indent2_signature_01.dump", "java_methods_indent2_signature_01.vim", "java_methods_indent2_signature_02.dump", "java_methods_indent2_signature_02.vim", "java_methods_indent2_signature_03.dump", "java_methods_indent2_signature_03.vim", "java_methods_indent2_signature_04.dump", "java_methods_indent2_signature_04.vim", "java_methods_indent2_signature_05.dump", "java_methods_indent2_signature_05.vim", "java_methods_indent4_00.vim", "java_methods_indent4_01.vim", "java_methods_indent4_01.dump", "java_methods_indent4_02.dump", "java_methods_indent2_signature_00.dump", "java_methods_indent4_02.vim", "java_methods_indent4_03.vim", "java_methods_indent4_03.dump", "java_methods_indent4_04.dump", "java_methods_indent4_04.vim", "java_methods_indent4_05.dump", "java_methods_indent4_06.dump", "java_methods_indent4_05.vim", "java_methods_indent4_signature_00.dump", "java_methods_indent4_signature_01.dump", "java_methods_indent4_signature_01.vim", "java_methods_indent4_signature_02.dump", "java_methods_indent4_signature_02.vim", "java_methods_indent4_signature_03.dump", "java_methods_indent4_signature_03.vim", "java_methods_indent4_signature_04.dump", "java_methods_indent4_signature_04.vim", "java_methods_indent4_signature_05.dump", "java_methods_indent4_signature_05.vim", "java_methods_indent8_00.dump", "java_methods_indent4_signature_06.dump", "java_methods_indent8_00.vim", "java_methods_indent8_01.dump", "java_methods_indent8_01.vim", "java_methods_indent4_signature_00.vim", "java_methods_indent8_02.dump", "java_methods_indent8_02.vim", "java_methods_indent8_03.dump", "java_methods_indent8_03.vim", "java_methods_indent8_04.dump", "java_methods_indent8_05.dump", "java_methods_indent8_06.dump", "java_methods_indent8_05.vim", "java_methods_indent8_signature_00.dump", "java_methods_indent8_signature_01.dump", "java_methods_indent8_signature_01.vim", "java_methods_indent8_signature_02.dump", "java_methods_indent8_signature_02.vim", "java_methods_indent8_signature_00.vim", "java_methods_indent8_signature_03.dump", "java_methods_indent8_signature_03.vim", "java_methods_indent8_signature_04.dump", "java_methods_indent8_signature_04.vim", "java_methods_indent8_signature_05.vim", "java_methods_indent8_signature_05.dump", "java_methods_indent8_signature_06.dump", "java_methods_indent8_signature_06.vim", "java_methods_style_00.dump", "java_methods_style_00.vim", "java_methods_style_01.vim", "java_methods_style_02.vim", "java_methods_indent8_04.vim", "java_methods_style_03.dump", "java_methods_style_04.dump", "java_methods_style_02.dump", "java_methods_style_signature_00.dump", "java_methods_style_signature_00.vim", "java_methods_style_signature_01.vim", "java_methods_style_03.vim", "java_methods_style_signature_02.vim", "java_methods_style_01.dump", "java_methods_style_signature_03.dump", "java_methods_style_signature_03.vim", "java_methods_style_signature_04.dump", "java_methods_style_signature_01.dump", "java_module_info_00.dump", "java_methods_style_04.vim", "java_module_info_01.dump", "java_module_info_02.dump", "java_numbers_01.dump", "java_numbers_02.dump", "java_methods_style_signature_04.vim", "java_numbers_00.dump", "java_numbers_03.dump", "java_numbers_04.dump", "java_numbers_05.dump", "java_previews_430_00.dump", "java_previews_455_00.dump", "java_previews_455_01.dump", "java_previews_455_02.dump", "java_previews_455_03.dump", "java_methods_style_signature_02.dump", "java_methods_indent4_00.dump", "java_string_00.dump", "java_string_01.dump", "java_string_02.dump", "java_string_04.dump", "java_string_03.dump", "java_string_05.dump", "java_switch_00.dump", "java_switch_02.dump", "java_switch_01.dump", "java_switch_04.dump", "java_switch_03.dump", "java_switch_05.dump", "java_switch_07.dump", "java_unfoldment_00.dump", "java_switch_06.dump", "java_unfoldment_01.dump", "java_unfoldment_05.dump", "java_unfoldment_02.dump", "markdown_conceal_00.dump", "java_unfoldment_03.dump", "modula2_iso_00.dump", "modula2_iso_01.dump", "modula2_iso_03.dump", "modula2_iso_02.dump", "modula2_iso_04.dump", "modula2_iso_05.dump", "modula2_pim_00.dump", "modula2_iso_06.dump", "modula2_pim_01.dump", "modula2_pim_02.dump", "modula2_pim_03.dump", "modula2_pim_04.dump", "modula2_pim_06.dump", "modula2_pim_05.dump", "modula2_r10_00.dump", "modula2_r10_03.dump", "sh_07_01.dump", "sh_08_02.dump", "sh_11_00.dump", "vim_ex_abbreviate_01.dump", "vim_ex_command_00.dump", "java_module_info.vim", "markdown_conceal.vim", "cleanadd.vim", "yi.vim", "he.vim", "adacomplete.vim", "cargo.vim", "ccomplete.vim", "clojurecomplete.vim", "decada.vim", "contextcomplete.vim", "csscomplete.vim", "gnat.vim", "gzip.vim", "getscript.vim", "htmlcomplete.vim", "javaformat.vim", "netrw_gitignore.vim", "javascriptcomplete.vim", "haskellcomplete.vim", "netrwSettings.vim", "netrwFileHandlers.vim", "paste.vim", "pythoncomplete.vim", "RstFold.vim", "python3complete.vim", "rustfmt.vim", "spellfile.vim", "sqlcomplete.vim", "syntaxcomplete.vim", "rubycomplete.vim", "tohtml.vim", "typeset.vim", "vimball.vim", "xmlcomplete.vim", "xmlformat.vim", "zip.vim", "quickfix.vim", "html32.vim", "html40f.vim", "html40s.vim", "html40t.vim", "html401f.vim", "html401t.vim", "xhtml10f.vim", "xhtml10s.vim", "xsd.vim", "xhtml10t.vim", "html401s.vim", "xhtml11.vim", "xsl.vim", "airportd.sb", "awdd.sb", "bluetoothd.sb", "com.apple.atsd.internal.sb", "BTLEServer.sb", "com.apple.atsd.support.sb", "com.apple.bootinstalld.sb", "com.apple.ckdiscretionaryd.sb", "com.apple.CommCenter.sb", "com.apple.cloudd.sb", "com.apple.fontd.internal.sb", "com.apple.corespotlightservice.sb", "com.apple.FontValidator.sb", "com.apple.fontd.support.sb", "com.apple.genatsdb.internal.sb", "com.apple.managedcorespotlightd.sb", "com.apple.msrpc.lsarpc.sb", "com.apple.msrpc.mdssvc.sb", "com.apple.mobileassetd.sb", "com.apple.msrpc.netlogon.sb", "com.apple.msrpc.srvsvc.sb", "com.apple.msrpc.wkssvc.sb", "com.apple.smbd.sb", "com.apple.netbiosd.sb", "com.apple.softwareupdate_firstrun_tasks.sb", "com.apple.taskgated-helper.sb", "com.apple.spotlightknowledged.importer.sb", "com.apple.USBAgent.sb", "com.apple.softwareupdated.sb", "com.apple.xscertd-helper.sb", "com.apple.usbd.sb", "com.apple.xscertd.sb", "cvmsCompAgent.sb", "cvmsServer.sb", "fontmover.sb", "fontmoverinternal.sb", "fontworkerinternal.sb", "gss-acceptor.sb", "gss-initiator.sb", "kadmind.sb", "kcm.sb", "mdflagwriter.sb", "kdc.sb", "ftp-proxy.sb", "mds.sb", "mdworker-bundle.sb", "mds_stores.sb", "mdworker-mail.sb", "mdworker-sizing.sb", "mdworker-scan.sb", "mdworker.sb", "natpmpd.sb", "qlmanage.sb", "pfd.sb", "quicklook-satellite-general.sb", "mDNSResponder.sb", "quicklook-satellite.sb", "quicklook-satellite-personal.sb", "quicklookd-job-creation.sb", "webdav_agent.sb", "quicklookd.sb", "watool.sb", "wfs.sb", "wifivelocityd.sb", "Mac-CAD6701F7CEA0921.plist", "Mac-FFE5EF870D7BA81A.plist", "Mac-7DF21CB3ED6977E5.plist", "Mac-35C5E08120C7EEAF.plist", "Mac-2BD1B31983FE1663.plist", "Mac-42FD25EABCABB274.plist", "Mac-35C1E88140C3E6CF.plist", "Mac-27ADBB7B4CEE8E61.plist", "Mac-66E35819EE2D0D05.plist", "Mac-473D31EABEB93F9B.plist", "Mac-06F11FD93F0323C5.plist", "Mac-4B682C642B45593E.plist", "Mac-031B6874CF7F642A.plist", "Mac-551B86E5744E2388.plist", "Mac-A369DDC4E67F1C45.plist", "Mac-BE0E8AC46FE800CC.plist", "Mac-E43C1C25D4880AD6.plist", "default.plist", "Mac-BE088AF8C5EB4FA2.plist", "Mac-EE2EBD4B90B839A8.plist", "Mac-3CBD00234E554E41.plist", "Mac-77EB7D7DAF985301.plist", "Mac-189A3D4F975D5FFC.plist", "Mac-B809C3757DA9BB8D.plist", "Mac-DB15BD556843C820.plist", "Mac-06F11F11946D27C5.plist", "Mac-9F18E312C5C2BF0B.plist", "Mac-9AE82516C7C6B903.plist", "Mac-B4831CEBD52A0C4C.plist", "Mac-FA842E06C61E91C5.plist", "charset.pivot", "mapper.dir", "firmlinks", "Stopwords.plist", "adi", "acorn", "adventure", "aes", "alliant", "allegro", "algol68", "aout", "apache", "android", "apl", "amigaos", "application", "animation", "applix", "apple", "amanda", "arm", "apt", "asf", "assembler", "asterix", "att3b", "basis", "beetle", "avm", "ber", "bflt", "bhl", "bioinformatics", "biosig", "audio", "blcr", "blender", "blackberry", "archive", "blit", "bm", "bout", "bsdi", "bsi", "btsnoop", "bytecode", "cbor", "c64", "c-lang", "cafebabe", "chord", "citrus", "cddb", "clarion", "cisco", "cad", "claris", "clipper", "coff", "clojure", "convex", "communications", "dicrc", "mib2c.access_functions.conf", "mib2c.check_values.conf", "mib2c.check_values_local.conf", "mib2c.column_defines.conf", "mib2c.array-user.conf", "mib2c.column_enums.conf", "mib2c.column_storage.conf", "mib2c.create-dataset.conf", "mib2c.container.conf", "mib2c.genhtml.conf", "mib2c.int_watch.conf", "mib2c.conf", "mib2c.mfd.conf", "mib2c.notify.conf", "mib2c.iterate.conf", "mib2c.old-api.conf", "mib2c.iterate_access.conf", "mib2c.scalar.conf", "mib2c.perl.conf" ], "public": 1, "adversary": "DragonForce Malaysia", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Esc", "display_name": "Esc", "target": null }, { "id": "SelectAll", "display_name": "SelectAll", "target": null }, { "id": "Vim Tutor", "display_name": "Vim Tutor", "target": null }, { "id": "Todo", "display_name": "Todo", "target": null }, { "id": "AdaCore", "display_name": "AdaCore", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 109, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "email": 635, "hostname": 840, "URL": 2021, "FileHash-SHA1": 6, "domain": 378, "FileHash-SHA256": 548 }, "indicator_count": 4430, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a7efe28a685d9a19cc0417", "name": "Targeted Attack: Windows Virtual Interface Machine on OS", "description": "", "modified": "2025-03-10T00:00:01.125000", "created": "2025-02-08T23:59:30.868000", "tags": [ "code", "range", "file offset", "ecxedi20xa", "edi0x6d", "ebp20x20", "esi0x67", "edx0x6f", "esi0x61", "ebp20x62", "hopper", "cve20072438", "normally", "use vim", "checkfile", "vimruntime", "checkdir", "vim project", "https", "bram moolenaar", "bram", "files", "silent", "insert mode", "down", "pumvisible", "vim script", "evim", "maintainer", "spellpopupmenu", "aunmenu", "tlunmenu", "loadbuffermenu", "revert", "difforig", "show", "ctrlu", "diffthis", "bail", "win32", "vim support", "remove", "comment", "genericname", "name", "keywords", "gvim", "edit", "zhcn", "editor", "metin", "rediger", "loadftplugin", "filetype", "expand", "amatch", "make", "sinsert", "middlemouse", "unix", "amiga", "mswindows", "loadindent", "end def", "visual mode", "shiftdel", "copy", "vim default", "selectmode", "insert", "load", "detectfiletype", "addoption", "optiong", "binoptiong", "optionl", "binoptionl", "header", "space", "python", "find", "open", "mark", "shell", "ruby", "install", "vim desktop", "substitute", "vunmenu", "paste", "script", "selectall", "word", "popup", "menu", "line", "close", "window", "back", "toolbar", "compiler", "next", "hack", "vimvimrc", "haiku", "openvms", "setsyn", "lang", "syntax menu", "description", "define", "setsyn function", "assembly", "maya", "bufnewfile", "bufread", "starsetf", "setf", "language", "visual basic", "xml au", "latex", "setfiletypesh", "endif", "lilo", "apache", "postscript", "rexx", "atom", "meta", "clipper", "desktop", "gift", "hercules", "julia", "mercurial", "pacman", "trigger", "puppet", "path", "powershell", "info", "ziggy", "speedup", "systemd", "form", "format", "calendar", "dracula", "config", "sfile", "esc", "iconv", "psflags", "if defined", "newitem force", "itemtype file", "iso88591 t", "utf8", "utf8 t", "iconvpath", "t iso88591", "makefile", "converted", "bob ware", "colorado school", "mines", "vim editor", "on your", "original copy", "please", "golden", "translation", "lesson", "enter", "type", "filename", "press", "normal mode", "repeat", "summary", "notice", "ruler", "test", "letzn", "mrkl", "zeil", "strg", "bewg nn", "end von", "druck", "dautticht", "zipf", "zaichen", "netty", "moveu el", "entrar", "premeu", "fitxer", "normal", "prova", "repetiu", "sumari", "desprs", "ara premeu", "cont", "ctrl", "ctrld", "append", "ctrlr", "ctrli", "shift", "backspace", "lekce", "napi", "dek oznaen", "normlnm mdu", "pesu", "stla", "soubor", "pesu kurzor", "opakuj", "toto", "lektion", "flyt", "skriv", "tryk p", "gentag", "bemrk", "filnavn", "nr der", "tryk", "zeile", "bewege den", "tippe", "zeichen", "cursor zu", "cursor zum", "kommandos", "cursor", "null", "tutor", "ctrlg", "shiftg", "shiftn", "msdos", "vimtutor", "capslock", "michael", "movu la", "leciono", "enenklavo", "kursoron al", "tajpu", "kursoron e", "testo", "premu", "dosiernomo", "resumo", "nova", "anon", "leccin", "mueva el", "intro", "pulse", "escriba", "para", "ahora", "insertar", "esto", "repita", "antes", "tenga", "como", "este", "leon", "tapez", "dplacez", "entre", "chap", "insertion", "puis tapez", "rptez", "appuyez", "lekcija", "otipkajte", "pritisnite", "ponovite", "kako bi", "insert mod", "prijeite", "saetak", "imedatoteke", "note", "windows", "yank", "mozgassuk", "fjlnv", "parancs", "lecke", "teszt", "j sort", "nyomja meg", "norml mdban", "ismtelje", "muovi il", "batti", "lezione", "invio", "premi", "ripeti i", "nomefile", "modalit normale", "adesso batti", "nota", "alla", "stata", "replace", "change", "subtitute", "school", "emiau", "spustelkite", "testas", "pirmj", "failovardas", "fail", "normalij", "santrauka", "ymeklis", "raid", "ramen", "tagad", "ievadiet", "piemram", "apkopojums", "lai izdzstu", "lai ievietotu", "ievadot", "ievrojiet", "js varat", "macos", "leksjon", "flytt", "trykk", "slette", "repeter", "erstatte", "sette", "kommandoen", "sett", "tips", "vise", "druk", "het commando", "herhaal de", "als je", "deze", "de cursor", "gebruik", "voeg", "bestandsnaam", "zorg", "mova", "digite", "teste", "agora", "pressione", "insero", "mais", "lekcja", "przenie kursor", "wcinij", "vima", "wpisz", "teraz", "powtarzaj", "nazwapliku", "uwaga", "jest", "dmesine", "ders", "ilk satra", "bu satrda", "normal kipe", "normal kipte", "daha fazla", "pomerite kursor", "otkucajte", "preite", "imefajla", "rezime lekcije", "za zamenu", "flytta", "filnamn", "normallge", "tryck", "om du", "sammanfattning", "genom", "lekcia", "presu kurzor", "presu", "napsanie", "zopakuj", "poznmka", "lcmessages", "lcall", "slovak tutor", "vim tutor", "amatria", "thevimproject", "slovak", "czech", "number", "motion", "ignore", "hjkl", "by gi", "di chuyn", "cu lnh", "u tin", "thay", "tntptin", "nu bn", "tng kt", "vim c", "lodi", "caps", "lock", "abc de", "command", "krishna", "spellerrors", "display dpy", "none", "false", "xfree", "sendinit", "isserialname", "staticspace", "xsync", "sendtovim", "main", "k command", "shell script", "vt100", "term vt100w", "dec locator", "vsnet", "tools", "external tools", "title", "arguments", "curline", "itempath", "init dir", "empty", "fbshtagsfp", "create", "options", "tags", "bourne shell", "perl", "fbkshfp korn", "tcl shell", "tk windowing", "parse", "new buffer", "buildcasetable", "printf", "buildwidthtable", "keys", "parsefoldprops", "parsewidthprops", "variabletags", "argv", "stephen riehm", "david woodfall", "getopt", "v include", "print version", "suppress", "reason", "file", "severity", "o ccfilter", "following", "this first", "ccfilter", "quickfix format", "though", "start", "john lange", "primitivem", "errorformat", "perl script", "executecore", "aerts", "sw developer", "sony telecom", "europe", "b1130 brussels", "belgium", "port", "host", "server", "vim channel", "chopen", "localhost8765", "json message", "linelength", "compilernames", "irix", "solaris", "hpux", "pablo ariel", "c compiler", "compilerqty", "usage", "project", "collector", "written", "ives aerts", "notes", "r decrement", "v verbose", "outputs", "o treat", "program", "q errorfile", "stdout", "copyright", "joerg ziefle", "perl w", "first", "maketag", "version", "exuberant ctags", "statement", "loop", "michael schaap", "support", "packagename", "look", "february", "push", "sgi mipspro", "error int", "error", "doit", "vim9 function", "nr2char", "c program", "vim quickfix", "awk script", "dec terminal", "make vim", "errors", "begin", "kirchgatterer", "opcodes syn", "addresses", "numbers", "types syn", "blocks syn", "strings syn", "program counter", "hilo byte", "quit", "todo todo", "aappythonscript", "python line", "python block", "blockline", "abap", "statement hi", "string hi", "structure", "vim abap", "abapr4", "marius piedallu", "james allwright", "april", "klmpqwvw", "comment hi", "type hi", "identifier hi", "constant let", "abel", "john cook", "johncook3", "a bunch", "todo xxx", "fixme", "c style", "abaqus", "carl osterwisch", "costerwi", "remark", "abaqus comment", "abaqus keyword", "include hi", "todo hi", "acedb model", "stewart morris", "thu apr", "syntax file", "acedb software", "xref syn", "rest", "preproc hi", "delimiter hi", "nikolai weibull", "include", "useroption", "options medium", "defaultprinter", "outputfirstline", "filecommand", "todo fixme", "martin krischik", "kind", "keyword", "mk bram", "standard", "character", "stype", "date", "vim syn", "altera ahdl", "x syn", "todo", "xnor syn", "specialchar hi", "builtin", "define hi", "builtin rect", "operator hi", "special hi", "dbus", "g3drop", "builtin dump", "builtin number", "builtin call", "redir", "stream", "screen", "function hi", "aflex", "lex syntax", "mathieu clabaut", "lastchange", "ada syntax", "aflex stuff", "patterns", "dominique pelle", "storageclass hi", "keyword let", "endlet", "htmlformat", "htmlcolor", "span", "htmlformatn", "foldcolumnbuild", "css1", "foldedid", "html", "generator", "fixme todo", "xxx note", "spell", "amigados", "campbell", "former url", "syntaxamiga", "krief david", "display drop", "beta cauchy", "irand224 syn", "normal poisson", "antlr4", "another tool", "yinzuo jiang", "jiangyinzuo", "july", "option value", "ben rubson", "hammers", "changelog", "option value1", "option", "value1", "david necas", "yeti", "base", "xxx not", "core", "antlr", "javacc parser", "azaz09", "parserend", "parserbegin", "token skip", "antsyntaxscript", "doug kearns", "zellner", "xmlcdatastart", "xmlcdataend", "xmltag", "xmlendtag", "ayer", "atch", "orkspace", "ngle", "rity", "mbol", "ffset", "istory", "osition", "xport", "stack", "tack", "digi", "flip", "shade", "cluster", "keyb", "arch", "moran", "ecode", "gnu arch", "source", "keyword hi", "simulate", "aptitude", "state", "yann amar", "quidame", "aptconf", "incomplete", "ebug", "autodetect", "fast", "marker", "score", "arduino", "hoff", "october", "license", "vim license", "arduino ide", "erik nomitch", "adam obeng", "artenterprise", "dorai sitaram", "ds26", "thilo six", "number hi", "edfghprs", "gnu assembler", "erik wognsen", "kdahlhaus", "kevin", "label hi", "macro hi", "title hi", "deprecated", "skip", "none hi", "claudio fleiner", "claudio", "end imports", "exports from", "implicitstags", "explicitstags", "absent present", "size universal", "strings", "aspperlscript", "perlscript", "aaron hope", "constant hi", "bwlsdxp", "macro", "specialchar", "error hi", "aspvbserror", "aspvbsfunction", "aspvbsmethods", "aspvbsstatement", "aspvbsnumber", "aspvbscript", "aspvbscomment", "aspvbs", "exits", "floating point", "asterisk", "tilghman lesher", "corydon76", "zonemessages", "atlas", "inaki saez", "jisaez", "flags bef", "orange syn", "containsasytodo", "asymptote", "avid seeker", "c syntax", "autodoc", "berg", "xml dl", "display", "contains", "borz", "kdpds", "oneline", "hotstring", "comspec", "hotkey", "reload", "common", "autoit", "soundplay", "autoit v3", "jared breland", "ping", "shutdown", "vim maintainers", "john williams", "action", "makefile syntax", "avenue", "arcview", "wagner", "esri", "string", "integer number", "operator syn", "xor mod", "hitachi h8300h", "xorc syn", "identifier let", "avr assembler", "avra", "avra home", "avra version", "marius ghita", "mhitza", "gawk ref", "functions syn", "awk ref", "effective awk", "programming", "keeps", "astro", "style", "fold", "enable", "astrojavascript", "htmlpreproc", "wuelner martnez", "html tag", "azaz", "ayaccuniongroup", "ayacc", "clusters", "aunis", "bash", "a formal", "method", "contributor", "csaba hoch", "undef", "defaultchar", "startstartfont", "bdfboundingbox", "containsbdftodo", "bibtex", "bernd feige", "ignore case", "xdata customa", "xref", "ams mref", "data", "basic", "quickbasic", "trim", "metacommands", "kill", "zonenumber", "bind zone", "mehnle", "slava gorbanev", "generates syn", "bcall", "vlado", "keywords syn", "string syn", "comment syn", "parent", "sulejman", "blank", "xspo", "bitbake", "chris larson", "kergoth", "daniel kho", "bsdl", "vhdl syntax", "tim pope", "vimnospam", "highlight", "imperfect", "bstnumber", "entry function", "integers macro", "bazel", "david barnett", "label", "digit", "john leo", "spetz", "boolean", "statuses", "bazaar", "dmitry vasiliev", "dima", "diff", "nospell", "synchronization", "baanerror", "selecteos", "updateerror", "d rows", "default", "selectempty", "selecterror", "updateempty", "union", "hooks", "normal hi", "case", "haskell cabal", "build file", "profunctor", "benchmark", "import", "cabalconfigpath", "cabal config", "original author", "cabalconfigkey", "false ghc", "cabal project", "true false", "cabalprojectnat", "boolean hi", "cparengroup", "cstringgroup", "ccommentgroup", "clabelgroup", "iso c99", "elifs", "ifndef", "ccppoutingroup", "optional", "accept", "public dtddecl", "entity catalog", "errormsg hi", "cdlcommentgroup", "raul segura", "acevedo", "xcheck", "childsname", "parentsname", "grpsdescription", "fixme xxx", "fullburn", "readdriver", "writedevice", "readdevice", "cfgcomment", "uncpath", "cfgstring", "cfgsection", "prischepoff", "on off", "yes no", "dos drive", "zhenyu", "documentation", "and fold", "operator", "punctuation", "transparent", "region and", "cfmlcorekeyword", "linden", "coldfusion", "skipwhite", "nextgroup", "cdrtoctrack", "cdtext", "performer", "silence", "zero", "softintegration", "cc interpreter", "declspec", "exception hi", "structure let", "built", "chaiscript", "jason turner", "lefticus", "escape", "web changes", "andreas scherer", "details", "cweb", "knuth", "silvio levy", "webcweb", "november", "haskell", "armin sander", "changelog file", "menesis", "vinschen", "june", "chatito", "observeroftime", "import syn", "intent syn", "slot syn", "cheetah", "max ischenko", "matches", "precondit hi", "evan hanson", "scheme", "chicken", "repository", "scheme syntax", "lighten", "heredocs", "cc syntax", "hse1", "chorus", "startofverse", "startofbridge", "startoftab", "startofabc", "startofly", "chordfont", "chill", "repeat hi", "avoid", "youngsang yoon", "image", "ccitt high", "this", "ember", "sifs0", "sinclude", "calendarinclude", "andrea callea", "chuck", "object event", "ugen array", "pieter van", "engelen", "arthur van", "leeuwen", "start syn", "int real", "char bool", "zamana", "flagship", "mario eusebio", "accept append", "blank from", "highlight value", "cmake", "comments", "match key", "cmakecachekey", "advanced", "highlight str", "stringstr", "nickspoons", "internal", "clever language", "clever", "multibase", "philip uren", "philuspax", "cmod", "cmodautodoc", "supports", "init init", "exit gcrecurse", "browser", "cocor", "shukla", "any characters", "context end", "from if", "nested pragmas", "to tokens", "cword", "fnameescape", "supplement", "must", "dgacfbe", "clojuretop", "arraychunk", "vecnode", "vecseq", "x00x7f", "partstart", "gondi", "inst", "etcdisktab", "acmsg", "acmsgtype", "hammesr", "yngve inntjore", "levinsen", "khym chanur", "james mccoy", "well", "anything", "conary recipe", "addallflags syn", "run automake", "makeinstall syn", "install copy", "move symlink", "link remove", "doc syn", "crm114", "modemsg hi", "imported", "target", "true", "interface", "quiet", "private", "write", "multi", "never", "unknown", "fatalerror", "sensitive", "android", "download", "guard", "exact", "locale", "trace", "alphabet", "john hoelzel", "hours days", "commands", "llll", "hminsmsusnsi", "ffll", "ken shan", "ccshan", "context", "synname", "startstartz", "endstopz1", "mptop", "luatop", "csccommentgroup", "if else", "endif elseif", "lev sy", "iallancestors", "curgen sy", "warningmsg hi", "essbase", "prior", "descendants", "cshell", "syntaxcsh", "variables", "luul", "csall", "srecord", "az09", "processes", "amsettimer", "sdlmatch", "default hi", "fdr input", "maxim kim", "habamax", "functions", "predefined term", "end predefined", "term variables", "century term", "csdl", "jacek artymiak", "c22032019", "call", "replacing", "comp", "recognize", "ascii", "existing syntax", "ctrlhbold", "ctrlh", "module level", "prop", "media", "cuda", "nvidia compute", "unified device", "architecture", "terriberry", "device global", "host managed", "shared syn", "restrict", "cupl simulation", "cupl syntax", "matt dunford", "sat nov", "statement let", "tex syntax", "cweb source", "cc material", "webincludedc", "double", "rc file", "dada", "dadas", "etant", "scen", "regel", "pero", "esquema", "tapi", "kada", "dados", "maka", "fono", "cupl", "valid integer", "signal", "phil derrick", "phild", "cynpp", "cynlib", "cynlib syntax", "posedge negedge", "changed syn", "instantiate", "out inst", "url http", "default cynscon", "standard syntax", "include debian", "match uri", "addremove", "byhash", "christopher", "dcod trts", "tnxt crlf", "labl syn", "cequ cneq", "cgte clte", "cbit clse", "dcomment", "jason", "pragma", "4857", "digital command", "sword", "mine", "conditional hi", "dart", "eugene pr3d4t0r", "ciurana", "former", "gerfried fuchs", "alpha", "rust", "datascript", "dscommentgroup", "comment let", "debcopyright", "orig author", "rob brady", "robb", "wu yongwei", "library stub", "code windows", "dos syn", "exports imports", "dep3 patch", "gabriel filion", "gabster", "specification", "authorfrom", "adminemail", "lockfile", "matthijs", "match", "ttext", "ccategory", "fflag", "llicense", "rock linux", "ren rebe", "spell syn", "lastline syn", "filter", "disablestrat", "s un", "r en", "jakson alves", "ansi sgr", "ansi sgr8", "jan larres", "term left", "black", "green", "contact", "charityware", "uganda", "entry", "block", "parasitic", "parameter", "devicemos", "rules", "device", "diva", "toby schaffer", "categories", "exectryexec", "unmounticon", "at wp", "chat", "django", "django template", "dave hodder", "dnsbind zone", "docbook sgml", "cest let", "docbook xml", "docbook", "devin weaver", "shlomi fish", "auto detect", "syntax xml", "sgml", "syntax sgml", "rory hunter", "json", "dockerfiles", "honza pokorny", "onbuilds", "from", "add arg", "cmd copy", "mike williams", "mrmrdubya", "windows nt", "msdosms windows", "mckee", "nima talebi", "hong xu", "sept", "keyword hilink", "hilink", "error hilink", "nargs hilink", "markus mottl", "enclosing", "scott bordelon", "wed apr", "cadence", "automation", "design rule", "checking", "layout", "schematic", "dsssl", "cest", "example", "xmlregionhook", "dtml", "dtml syntax", "zope", "markup language", "jordaan", "doxygenhtmltop", "synlink", "link", "syncolor", "strong", "reflink", "cpreprocgroup", "actions", "dtrace d", "d script", "solaris dynamic", "tracing guide", "nicolas weber", "nicolasweber", "first line", "probe", "turn", "entity", "matchgroupnone", "document type", "definition", "brabandt", "dune", "anton kochkov", "samuel hym", "simon cruanes", "kawahara satoru", "urkedal", "etienne millon", "dylan", "justus", "fri sep", "include let", "dylan library", "interface files", "brent fulgham", "bfulgham", "string let", "fulgham", "dnsmasqkeyword", "dnsmasqrange", "editorconfig", "anders", "edif version", "edif", "artem zankovich", "zartem", "5481988", "john beppu", "beppu", "ecd file", "embedix linux", "elm filter", "syntaxelmfilt", "elmfiltnumber", "brssow", "environments", "wraparound", "elinksnumber", "elinkscolor", "savingstylew", "imagelinksuffix", "homepage", "current void", "selse", "sthen", "eiffel", "joseph hager", "ajhager", "typedef hi", "lambda", "xxxx", "kresimir marzic", "oscar hellstrm", "oscar", "kornel", "syntax", "label highlight", "type highlight", "identifier", "george", "exec sql", "preproc let", "esterel", "luca necchi", "nikos andrikos", "esterel regions", "esterel types", "esterel comment", "identifiers", "euphoria", "builtins", "function", "reset", "should suffice", "etermgeneral", "d0xx", "mod5", "rubytop", "eruby", "erubysubtypezsw", "conventional", "text", "generated file", "david nev", "setup", "expect", "normal expect", "ralph jennings", "knowbudy", "user", "sysv", "bsd isms", "syntaxexports", "optset", "eviews", "vaidotas zemlys", "zemlys", "az4857", "assembler", "fasm", "ron aaron", "vim url", "fasm home", "fasm version", "xmm0 xmm1", "xmm2 xmm3", "dwayne bailey", "dwayne", "fdcc", "definitions", "iso tr", "unicode", "shell command", "output", "array", "fantom", "service", "bridle", "informix", "update", "abort abs", "absolute accept", "access acos", "add after", "allocate alter", "drop", "fishnext", "fishstatement", "fishterminator", "fishargument", "nicholas boyle", "flexwiki", "reilly", "home", "fuse", "modify", "table", "pascal makefile", "sections", "comments syn", "forth79", "forth83", "char", "forth83 syn", "body", "noname", "class", "local", "tung", "thu oct", "thomas reiter", "manipulation", "book", "document", "textfile", "apply", "formats", "popu", "crea", "modi", "memo", "defi", "disp", "dele", "appe", "repl", "proj", "alia", "cmon", "nvert", "mwin", "uniq", "blin", "carr", "story", "mult", "rator", "fortran", "ends", "cray", "ulllull", "stop", "fvwmm4", "mainsyntax", "fvwm2m4", "include m4", "include fvwm2", "fvwm1", "hss1", "general syn", "szsw", "check", "journal", "hold", "fvwm", "cursormove", "edgeresistance", "modulepath", "noborder", "windowlistskip", "backcolor", "sticky", "refresh", "buttons", "exclam", "slash", "gdmo", "iso101654", "guidelines", "managed object", "gyuman", "chester", "godot resource", "section syn", "ssss", "gdb command", "simon sobisch", "isplay", "unset", "linkurl", "gemtext markup", "suneel freimuth", "heading", "list", "quote", "heading special", "list statement", "godot", "bug hack", "gitdiff", "dddd", "endt", "commit", "question hi", "giftcef", "linenr hi", "giftceffw", "giftce", "conceal hi", "gedcom", "paul johnson", "december", "abbr addr", "adop adr1", "adr2 afn", "godot gdscript", "website", "pattern", "attribute syn", "macro syn", "gitcommitdiff", "your", "todo let", "crrw", "creator", "xexec", "syn match", "az4857 syn", "adam monsen", "opengl shading", "modified", "godoc", "title let", "gocommentgroup", "chan", "foldenable", "packagecomment", "integer hi", "todo regexp", "todos", "josh wainwright", "dot ja", "at gmail", "dot com", "karim belabas", "texstyle syntax", "todo syntax", "todd zullinger", "daniel kahn", "gillmor", "containsgpgtodo", "gprof output", "flat profile", "gretl", "gretl genr", "variable", "grads", "fronzek", "grid analysis", "display system", "grads scripting", "variables syn", "gnashkeyword", "gnashcomment", "gnashtodo", "solreadonly", "solsafedir", "john marshall", "jmarshall", "pedro alejandro", "lpezvalencia", "ddd0xx", "pager", "terminal", "chainloader", "groovytop", "exception", "groovy", "debug hi", "gtk theme", "packer", "conceal", "json syntax", "single", "trailing commas", "fixme note", "gnu server", "pages", "source html", "include java", "redefine", "argc argv", "begin begg", "end endg", "graph", "vim source", "matchlist", "vimsrcdir", "both", "getqflist", "cent", "kword", "c function", "small", "light", "vimcontinue", "endstr", "gensynvim", "vim9 syn", "vimexprlist", "magic", "hamlrubytop", "hamlcomponent", "hamltop", "haml", "hamlhtmltop", "david fishburn", "sun oct", "hamster classic", "hamster", "harepostfix", "hare", "vim syntax", "amelia clarke", "selene", "haredoc", "miscellaneous", "haste", "vlsi ic", "c preprocessor", "09afaf", "treat", "varid", "error let", "hbfilename", "hbhtmlstring", "hbhtmltagn", "hbhtmltag", "hbdirectivelib", "hbdirectiveset", "hbdirectiveout", "kkmmgg", "upstream", "a block", "szskkzes", "vim program", "restorer", "defunct", "aprl", "helplang", "intel hex", "sams ricahrd", "data digit", "folding data", "records", "record syn", "ignore hi", "vim help", "ident", "dana edwards", "danaedwards", "ic design", "preprocessor", "spacings", "resolutions", "ranges", "slhg", "hgcommitdiff", "sapling", "ken takata", "kentkt", "max coplan", "float hi", "hls playlist", "benot ryder", "comment line", "hogvar", "hogopnot", "hognumber", "hogipaddr", "hogcomment", "hogport", "hogoprange", "hogcomment syn", "hogstring", "bind", "elseif", "html template", "dennis", "htmltop", "htmljavascript", "onas", "htmlxml", "idem", "aria", "m4top", "htmlm4", "htmlos", "repeat syn", "aestiva", "jason rust", "jrust", "django html", "scomment", "i3configident", "i3configstrin", "i3configvalue", "focus", "i3configsh", "i3configstrvar", "i3configcommand", "i3configcolvar", "moving", "itanium", "parth malwankar", "pmalwankar", "file version", "masm syntax", "mark manning", "markem", "allan kelly", "ibasic file", "icewm menu", "james mahler", "fri apr", "icewm", "ids menu", "icon special", "icemenu", "data language", "ajelenak", "paren hi", "paren", "billshannon", "nlps", "npro", "graphics", "iconpregroup", "icon", "wendell turner", "prelude", "inbpc", "ddspe", "leaderscopy", "fontname", "badness", "elan ruusame", "shtop", "value", "args", "substituted", "macros", "ipfspecial", "ipftodo todo", "hendrik scholz", "hendrik", "openbsd pf", "ipfcomment", "xxx fixme", "donovan keohane", "syndisplay", "global", "verbextend", "double2", "snote", "david brgin", "dbuergin", "continuedoelse", "argv binpath", "cr crlf", "del debug", "eav empty", "inno setup", "my innosetup", "jason mills", "enterdisk syn", "sdsetuptype syn", "ifdef", "elif", "else", "cortopassi", "istoutspec", "peter meszaros", "pmeszaros", "istinpspec", "istcharacter", "istnumber", "istcomment", "jamcommentgroup", "jamparengroup", "ralf lemke", "xxx syn", "jargon file", "dan church", "label let", "javascript", "jls17", "see https", "javatop", "javadoctags", "javahtml", "tx0cr", "javamarkdown", "markdowninline", "jinja", "jinja template", "names syn", "standard jess", "jess", "paul baleme", "pbaleme", "jonas munsin", "xaxis yaxis", "x cross", "number let", "javacc", "java compiler", "javasoft", "vim compiler", "vito", "doc comment", "note xxx", "jspjava", "java server", "rgarciasuarez", "darren greaves", "patch", "thomas kimpton", "software", "eli parra", "json keywords", "jsonc", "izhak jakov", "izhak724", "acknowledgement", "kevin locke", "remove syntax", "json5", "mazunki hoksaas", "guten ye", "ywzhaifei", "syntax setup", "endz1", "kconfigconfigif", "abstract", "juliaexprsnodot", "regex", "naninf", "kdlnumber", "kdlnumber d", "aram drevekenin", "kotlin", "generated", "annotation syn", "kix2001 syn", "kixtart", "handle", "trap", "michael piefel", "entwurf", "cpp mode", "preproc", "error highlight", "storageclass", "delimiter", "sysvars", "false true", "kivy", "corey prophitt", "corey", "load python", "kivy language", "define kivy", "lace", "jocelyn fiat", "constants syn", "latte", "nick moffitt", "pre tag", "elsa", "glapagrossklag", "riley bruins", "ribru17", "keywords syntax", "sections memory", "overlay phdrs", "version include", "absolute addr", "names", "ldapconfcomment", "iso dialect", "modula2 dialect", "modula2 input", "styles", "error endif", "august", "pim dialect", "modula2", "longbitset", "procedure", "r10 dialect", "sto dos", "ldap ldif", "zak johnson", "zakj", "less", "jenoma", "todo optimize", "orce", "arset", "prox", "cache", "agent", "haskelltop", "lhstexcontainer", "ian lynagh", "tex markup", "bird style", "markdown style", "tex style", "lexccode", "user code", "flex", "van engelen", "patrick texier", "lifelines", "xref tag", "liquid", "liquidstatement", "yaml front", "matter", "liquidyamltop", "acdfmnrstuklp", "lilonumber hi", "number list", "niels horn", "lite", "liteinside", "lutz eymers", "ixtab", "email", "sql syntax", "errmsg", "livebook syntax", "lisplistcluster", "clisp ffi", "standard lisp", "keyword lispkey", "litestepdir", "litestep rc", "nethood", "winnt", "lotos", "is8807 syn", "specifications", "is8807", "daniel amyot", "damyot", "wed aug", "except", "logtalk", "logtalk entity", "term", "logic", "chfnauth", "chshauth", "createhome", "defaulthome", "lout", "report", "lambdaprolog", "teyjus", "vim version", "general", "lpccommentgroup", "lpcefungroup", "nodule", "lpcparengroup", "lpcpreprocgroup", "echo", "poet", "timo frenay", "timo", "labels syn", "lotusscript", "taryn east", "ultraedit", "textpad", "activateapp as", "base beep", "call case", "scott bigham", "colorterm", "luau", "marcus aurelius", "farias", "carlos augusto", "collapsebrtags", "lynx web", "lynx", "todo note", "uploader", "lyrics", "lrcnumber", "quake", "operators", "hascbackend", "pkg syn", "definelib syn", "definepgm syn", "importm3lib syn", "fleiner", "mainsyntaxm4", "mailquoteexps", "mail", "felix von", "leitner", "am est", "ascii character", "froms", "mallard", "jhradilek", "mallard markup", "draft", "skipnl", "roland hieber", "overrule", "ostype", "manconfcomment", "build", "suffix", "mason", "perltop", "hinrik rn", "sigursson", "pentium", "abgl", "ceopsz", "offset", "align", "floatingpoint", "vpmaxsq syn", "integer", "maple", "release", "focus master", "define syntax", "filename suffix", "segname segtype", "mtaddon", "matlab", "alex burka", "bbddeess", "all functions", "except keywords", "maxima", "robert dodier", "mermaid", "craig maceahern", "4857192255", "self", "accdescr", "click", "meson", "liam beguin", "zpetkovic", "disabler", "wikitop", "containshtmltag", "wikitableformat", "mediawiki", "yakov lerner", "rfc3339", "james vega", "zsdze", "melgroup", "maya extension", "robert minsk", "jason franklin", "sunghyun nam", "goweol", "mudunuri", "version info", "ctrlh syntax", "markdown", "matchstr", "metafont", "page", "latest revision", "magic point", "spam", "xfont vfont", "gero kuhlmann", "gero", "snmpv1", "snmpv2 mib", "martin smat", "msmat", "david pascoe", "pascoedj", "ax16", "donald knuth", "taocp", "mmix", "dirk hsken", "knuthstyle", "precondit endif", "pcimapfile", "parportmapfile", "model", "nil nil", "true syn", "symbols", "mmatop", "stub", "peter funk", "getdialect", "timo pedersen", "dat97tpe", "whitespace", "any array", "mookeyword", "dilnt", "multiplication", "mojonumber", "mojo", "stuff", "monk", "seebeyond", "mike litherland", "dirk van", "deun", "metapost", "manual", "autosync", "dumpvideo", "loadidx", "rawvideo", "tsprog", "color", "tabtitle", "am cdt", "pm est", "dummy", "ms message", "kwl7", "common ms", "messages", "ms idl", "vadim zeitlin", "vadim", "msql", "env variables", "inlclude", "modsim iii", "philipp jocham", "march", "actid all", "and as", "murphi model", "diego ongaro", "integers", "nspemit", "switch", "mushcode syntax", "rick bird", "clock", "dbck", "dump", "hook", "motd", "notify", "nuke", "restart", "snoop", "stats", "teleport", "attributes", "prettyprint", "libpath", "promylibdir", "attributes syn", "mupad source", "dave silvia", "dsilvia", "ymwd", "cciskaf", "float", "mysql", "pronovici", "encrypt", "namednotnumber", "nick hibma", "location", "marcin", "chaos", "dmap", "modules", "control section", "nastran", "tom kowalski", "any integer", "n1ql", "eugene ciurana", "merge syn", "nest syn", "pr3d4t0r", "vim command", "natural", "nasm", "iend", "movs", "time", "interval", "size", "directory cache", "cache buffers", "minimum file", "count", "daylight", "miner", "keith smiley", "login", "netrwtreegroup", "diffchange hi", "netrw listing", "toplevel", "readtoken", "nixexpr", "daiderd jordan", "daiderd", "region match", "bufenter", "syntax event", "synset", "checked", "muttvars", "neomutt", "bounce", "nsisanyopt", "statements", "nsis", "music", "rcx2", "scout syn", "rcx2 syn", "nqcparengroup", "rcx syn", "nqccommentgroup", "modes", "scout", "stefan", "module", "nginx module", "nginx", "http", "gost", "comet", "speed", "sphinx", "curv", "mtllibs", "exmaintainer", "anthony hodsdon", "objc syntax", "odin", "ms44", "and or", "occamnumber", "group", "omnimark", "paul terray", "mailto", "activate again", "catch clear", "close copy", "ocamltypeexpr", "ocamlallerrs", "jon parise", "ondirshell", "operator let", "objc type", "smes12", "qualifiers", "smes7", "smes19", "preparation", "protected", "structure hi", "openscad", "niklas adam", "luis moreno", "abort all", "alter and", "any as", "asc at", "oplstatement", "oplnumber", "open psion", "epoc16epoc32", "af09", "openvpn", "openvpnnumber", "openvpnsignal", "hupinttermuser", "containstop", "keepend", "eval", "menumode", "endurance", "blade", "illusion", "sneak", "onload", "disablemouse", "getclass", "notes todo", "containsallbut", "spells", "ronan pigott", "ronan", "alpm", "tcpip", "gclckprocs syn", "oracle config", "sandor kopanyi", "oraall", "protocol syn", "bequeath syn", "latest change", "haochen tong", "withconceal", "inlinecode", "super", "pappperl", "papphtml", "cdata", "perlinterpdq", "marc lehmann", "perlexpr", "config file", "lennart schultz", "string keywords", "protobuf text", "lakshay garg", "crgut", "tim chase", "austin", "pcctsinrule", "cpptoplevel", "pccts", "nextstep syn", "openbsd packet", "lauri tirkkonen", "sloadsanchor", "phtml", "perlinterpsq", "perlinterpmatch", "perlinterpslash", "perldata", "portb syn", "intcon syn", "gie eeie", "t0ie inte", "rbie t0if", "intf rbif", "microchip", "pdfxml", "nrtbf", "font", "palm os", "schau", "font id", "beware", "data syn", "postfix", "kelemen peter", "peter", "kelemen", "anton shestakov", "pikestmt", "pikebadgroup", "pike", "pine", "thu feb", "macro let", "httpviewer", "infopath", "longmanuallinks", "filter0xb7", "plaintexmath", "glue", "acute", "cdhoopstuvijll", "rrowvert", "skewsqrt", "mega", "phpinnerhtmltop", "phpclfunction", "phpcltop", "refer", "cphil", "number support", "c language", "does", "address and", "dword", "juerd", "plpperl", "plpend syn", "counter syn", "pl1commentgroup", "pl1parengroup", "declare dcl", "procedure proc", "loops", "podformat", "ibsclfx", "perl pod", "poe item", "show hide", "minimal", "address", "obsolete", "openclose", "bjoern jacke", "bjacke", "povray", "syntax syn", "off true", "false yes", "ppwizard", "dennis bareis", "ppwizargval", "constants", "plsqlparengroup", "oracle", "plsql", "klaus muth", "klaus", "altf amcr", "arc asfn", "astk barc", "blk box", "call syn", "cass cir", "melchior franz", "mfranz", "sonia heimann", "todo tbd", "privoxy", "prolog", "promela", "mon oct", "thu aug", "promela types", "class linking", "ps ll3", "dsc comment", "device gstate", "ps level", "postscrstring", "escaped", "matrix", "courier", "buffers", "redistributions", "this software", "including", "but not", "limited to", "pbcommentgrp", "google", "az09az", "posix", "rex barzee", "rexbarzee", "aclqrv", "a af", "ag ax", "e ef", "eg ex", "certain", "ps1comment", "purify header", "informational", "warning", "corrupting", "fatal", "haakon riiser", "hakonrk", "c syn", "pypa", "commands syn", "globs", "line break", "pyrex", "marco barisione", "python syntax", "olor", "chars", "progress", "ation", "progressdebug", "progressnumber", "edure", "progresstodo", "eter", "daniel", "sage", "widget", "rage", "python library", "reference", "quarto", "aquino", "vim runtime", "quickfix", "directory hi", "hee1", "lookdown lookup", "quakeoctalerror", "quake12command", "noprefix", "console", "onoff", "qb64", "z2z1", "qmlexpr", "radiance scene", "georg mischler", "radiance", "greg ward", "surface", "raccruby", "rule", "racc input", "dobie", "xdobie", "handling", "vector", "types syntax", "raml", "restful api", "hopkins", "rofi advanced", "pierguill", "common rc", "resource", "heiko erhardt", "language syn", "bitmap icon", "cursor cursor", "cmash", "ratpoison", "magnus woldrich", "djkea2", "bulls eye", "force control", "number syn", "rapid", "azazxc0xff", "azazxc0xff09", "rakuinterpqq", "rakuregexen", "rakuregexp5", "rcs log", "joe karthauser", "rcs file", "revision", "yyyy", "rebol", "yer todo", "words syn", "view", "view tabs", "spaces", "vicharsearch", "viprevword", "viendword", "visearchagain", "vinextword", "registry key", "registry export", "ulitin", "head", "regedit4", "win9", "bytes", "paths", "xxx bug", "davide alberani", "remind", "ben orchard", "rem omit", "mit license", "raimon49", "permission", "software is", "resolvipcluster", "ipv6 support", "09azaz", "radu dineiu", "hidesymbol", "r help", "r code", "epsilon", "kappa", "slabelsk", "over", "relax ng", "containsrnctodo", "rnoweb", "highlighting", "rnowebr", "ranke", "ferraz pereira", "rosa", "extension", "bytestream", "andrew bromage", "frameend", "worldbegin", "worldend", "attributebegin", "attributeend", "todo improve", "handles", "todo are", "redif", "axel castellane", "templatetype", "and add", "alex zvoleff", "configuration", "r syntax", "syntaxrpcgen", "mikrotik", "cidr notation", "cycle", "exit", "catch", "rpl2", "rmdlatex", "yaml header", "highlight code", "rmdr", "text format", "rich text", "control words", "new control", "rstcruft", "salt state", "jinja runtime", "star", "disallow syn", "disallow", "samba", "new maintainer", "ntlmv2 syn", "synfold", "rubymodifier", "sasbasicsyntax", "add syntax", "sasgraph", "yrdif yyq", "template", "mixin", "extend", "return", "steven dobay", "stevendobay", "sather", "science", "institute", "dede", "scilab", "benoit hamelin", "containedgroup", "preproc syn", "aclchg", "acldel", "aclgrp", "aclumask", "lockscreen", "zombie", "scss", "puria nafisi", "azizi", "always", "ip adresses", "verify", "synopsys design", "constraints", "tcl vim", "thu mar", "tcl syntax", "tcl extension", "xor syn", "task else", "nextstate syn", "in out", "with from", "ebcdic", "closedelay", "txtrigger", "spdnormal", "portd", "comment hilink", "sexplib", "atoms syn", "lists", "clst", "sgml charset", "capacity scope", "features", "baseset descset", "simple", "shfoldheredoc", "shfoldifdofor", "shlooplist", "shfunctionlist", "shidlist", "shecholist", "shcaselist", "shdblquotelist", "provides", "sgml specific", "space crlf", "dquote syn", "percent", "mp luacall", "alephversion", "uchar", "udelimiterunder", "umathchardef", "umathruleheight", "umathstackvgap", "umathxscale", "uoverwithdelims", "hai tp", "bestanden", "hanya dalam", "fiierele", "tp tin", "aemacron amstex", "aacute", "abrevehook", "afterpar", "agrave ahook", "amstex amacron", "atilde", "beforepar beta", "bigm", "delta", "oldstable", "experimental", "bullseye", "trixie", "forky", "focal", "jammy", "devel", "buzz", "maverick", "keyword syntax", "typescriptvalue", "title syntax", "typescripttype", "blabla", "sicad", "zbranyiczky", "irpt", "irptl", "mes1", "swift project", "simula", "simula syn", "keyword end", "when", "nagle", "main url", "comparison", "load sinda", "on si", "off eng", "sieve", "skill", "nsqn", "dirfile", "pnamestring", "pathversion", "schemeskill", "afterbefore", "tolist", "renderman", "dan piponi", "specialkey hi", "headers", "nontext hi", "jan hlavacek", "xuserblock", "for loop", "userblock", "null syn", "tracedrop", "daheartbeat", "slpregcomment", "spi file", "private public", "slrn score", "preben peppe", "guldberg", "age bytes", "syntaxsm", "smarty", "mon nov", "constant", "slice", "zeroc", "morel bodin", "smcl", "stata markup", "jeff pitblado", "jpitblado", "statasmcl", "directive", "smith", "smil", "herve foucher", "smil boston", "animation syn", "smlallerrs", "smlaenoparen", "fabrizio zeno", "cornelli", "zeno", "snns network", "snns http", "lln lun", "toff soff", "ctype syn", "snns", "maximum", "maximum output", "stringcomment", "initvalvalstr", "mono", "snobol4", "rafal sulejman", "site", "csnobol", "parens", "cothi", "afpnumkg", "spice circuit", "noam halevy", "insensitive syn", "spice", "splintallstuff", "splintannotelem", "ralf wildenhues", "splint home", "c code", "purpose", "buildinstall", "linux rpm", "freund", "ormeir", "wed oct", "spyce", "rimon barr", "rimon", "spupordinary", "input output", "spuptextproc", "type stream", "bugs", "execution", "snns result", "fishburn", "thu sep", "sqloracle", "buffer", "sqlforms", "austin ziegler", "prev change", "todo find", "xpos", "java syntax", "sqlj", "sap hana", "upper case", "upper", "schema syn", "user syn", "memory database", "sql syn", "spl syn", "comment syntax", "query language", "adaptive server", "anywhere", "xpscanf syn", "methods syn", "starea syn", "stcentroid syn", "stperimeter syn", "paul moore", "oracle nquote", "diffadd hi", "diffchange let", "section", "query report", "writer", "nathan stratton", "treadway", "jeff lanzarotta", "squid", "thanksto", "ilya sher", "iso8601", "subrip", "range syn", "ddd skipwhite", "bold", "sections syn", "override", "smalltalk", "arndt hesse", "hesse", "openssh client", "jakub jelen", "jakuje", "dominik fischer", "openssh server", "conditional", "repeats", "types", "globals", "statafuncgroup", "statamacrogroup", "stataparengroup", "rmcoll syn", "invftail", "invibeta", "haseprop", "mata", "structurizr dsl", "venthur", "hsiaoming yang", "lepture", "marc harter", "sudoersuser", "lazy", "generic", "swig", "julien marrec", "apache license", "runtime library", "vim maintainer", "emir sari", "nowarn", "i3confignumvar", "endze", "josef litos", "james eapen", "nargs syncolor", "nargs synlink", "syncolor type", "syncolor ignore", "syncolor added", "preproc synlink", "type synlink", "special synlink", "budden", "ingo karkat", "myk taylor", "install syntax", "syntax au", "systemverilog", "verilog syntax", "tads", "amir karger", "karger", "history info", "syntaxtags", "tak2", "tak3", "tak2000", "tak compare", "tak output", "load tak", "tar listing", "type let", "john florian", "wed jul", "key names", "values", "characters", "uuids syn", "rufus cable", "verbose tap", "rufus", "tap output", "pass", "foolman", "cmovsetj", "borland", "united force", "vector graphics", "verbose", "known template", "xfire user", "tcshvarlist", "tcsh", "gautam iyer", "ttlconstant", "term language", "tera term", "kcpy kcrt", "eenlrtbfs", "xhp xhpa", "xt xenl", "msgr", "tclspecialc", "tcltk", "taylor venable", "taylor", "system", "geometry", "tss syn", "typescript", "kao weiko", "jose elera", "campana", "zhao yi", "scott shattuck", "irc channel", "freenode", "vim filetype", "andy lester", "tt2topcluster", "typescriptreact", "react", "strpart", "include perl", "rawperl", "moriki", "atsushi", "ucnumber", "unrealscript", "openwrt unified", "colin caine", "fancy", "normal let", "typstcode", "matchgroupnoise", "noise highlight", "hashtag", "typstmarkup", "noise", "motif uil", "user interface", "thomas koehler", "september", "import hi", "anton", "prunefs", "prunenames", "prunepaths", "prunebindmounts", "upstart", "upstart job", "michael biebl", "biebl", "james hunt", "archivebit syn", "datelimit syn", "daysold syn", "deleted syn", "destination syn", "dirsonly syn", "drivealias syn", "filedate syn", "filedelete syn", "files syn", "msid", "innovation data", "rob owens", "ull ulls", "msg types", "ip address", "agtpcsrv", "profile", "version date", "ms windows", "action devpath", "valgrind memory", "debugger output", "roger luethi", "program url", "christoph gysin", "valve data", "tag syn", "wend", "prather", "pratam", "minor", "iskeyword", "xnor xor", "veraparengroup", "veralabelgroup", "vhdl", "linting", "vhsic", "high speed", "new style", "verilog", "mun johl", "485763", "vos cm", "andrew mcgill", "az syn", "bwlfdgh", "fdgh", "bwlqofdgh", "psect", "virata aconfig", "virata", "viratahexnumber", "execoptions", "ewind", "uffer", "malt", "wind", "vrmlevents", "vrmlfields", "vrmlcomment", "vrmlprotos", "vrmlnodes start", "externproto", "proto", "vgrindefs", "vgrindefs file", "profilesetzss", "java source", "parmp", "novimmain", "extern", "mswin", "featguimswin", "vimdll", "editnone", "level", "heading level", "vimtestsetup", "noop", "java language", "nontext", "returns", "chapter", "annotations", "labels", "text text", "tag head", "void", "htmlsnippets", "object", "object apply", "object bb", "no operation", "u003b", "n value", "pair", "long", "generics", "predicate", "vimtestsetup hi", "error import", "nontext class", "see jls", "declaration", "taggable", "binaryoperator", "i1 x", "i1 y", "string str", "taggable i1", "letters", "letters alpha", "letters beta", "tag tail", "use identity", "supplier", "tests", "identity", "comparable", "intfunction", "a dummy", "tggabl", "string s", "string tostring", "do not", "this file", "indent4", "indent2", "indent8", "tggabls", "fields", "classlock", "defines demo", "testable", "serviceloader", "malformed", "woof", "string s1", "string s2", "browns", "jumpss", "string s4", "string s6", "string apply", "string bay", "as quick", "woofs", "beta", "yieldable", "t yield", "other", "colon", "arrow", "unfoldenable", "italic", "strikethrough", "bold italic", "foobar", "modula2 pim", "test file", "colouring", "is licensed", "under the", "from system", "modula2 iso", "retain", "to do", "modula2 r10", "unsafe", "cardinal", "var abc", "variableb", "variablec", "var3", "var4", "var5", "var6", "variablea", "variabled", "variablee", "variable3", "varb", "variable1", "variable2", "varc", "vard", "variable4", "function1", "function4", "function2", "function3", "eq ne", "gt ge", "le lt", "ne gt", "ge le", "variableathis", "valsubfunc", "below", "reply", "issue", "cfoo", "ifoo", "interrupt", "ctrlc", "e123 catch", "varvalue", "cdpath", "backuptype", "defaultdevice", "executefbackup", "shall", "please wait", "buffer foo", "nargs range", "completer1 foo", "completer2 foo", "foo2", "bang", "nargs foo", "foo delcommand", "multiline", "commenttitle", "end augroup", "autocmd", "fixme call", "matched", "start not", "end not", "end call", "xterm call", "givename", "vim9", "test const", "foo def", "ex command", "dict", "end endfunction", "end enddef", "answer", "warningmsg", "endwhile", "dotest3", "dotest4", "dotest5", "dotest6", "test1", "test2", "test3", "test4", "test5", "funa", "dofuna", "funb", "dofunb", "func", "dofunc", "fund", "dofund", "foo delfunction", "foo function", "foo comment", "foo none", "guifg", "comment none", "ctermfgcyan", "end end", "end let", "end line", "end line1", "a basic", "rhs map", "foo bar", "fubar", "needle", "foogroup foo", "foogroup", "homeinclude", "defabc", "snomagicfoobar", "smagicfoobar", "special", "line comment", "b special", "char0x0044", "testcluster", "cchar", "keywords list", "vim line", "element", "x1f xf", "31 3", "u02a4 u000002a4", "string escape", "hexadecimal", "0xff echo", "decimal", "octal echo", "0377 echo", "vim shebang", "instance", "pairclasstest", "vim keymap", "end const", "expr", "foo unlet", "vim comment", "vim9 ex", "end foo", "xterm foo", "eof foo", "vim9script", "s vim9script", "12345", "0b10101010", "192939", "0777", "0o777", "0xabcdef00", "0x12345678", "runtest", "rticle", "syntax test", "file 0", "dougkearns", "2024 jun", "13 0", "test failures", "when comparing", "italicized text", "eading level", "igure", "eader", "frame", "diomatic text", "nput", "utput", "icture", "rogres", "cript", "earch", "ection", "elect", "reformat", "failure 0", "egend", "oscript", "bject", "ptgroup", "ption", "trong", "tyle", "able", "emplate", "extarea", "itle", "ource", "olgroup", "atalist", "etails", "ialog", "ieldset", "igcaption", "eleted text", "mphasis", "mbed", "side", "udio", "lockquote", "anvas", "aption", "ring at", "ideo", "cronym", "rame", "rameset", "arque", "enuitem", "rack", "narticulated an", "oframes", "trike", "ortal", "aram", "trikethrough", "highlighted", "elements have", "never be", "mage", "interface 0", "efault 0", "mport 0", "redundant", "tail", "alue", "nterface 0", "primer", "label 0", "tatic 0", "oid 0", "edundant", "identity cast", "expres", "to nest", "typeuse an", "htmlcom", "here is", "snip", "tmlsnip", "egion 0", "literal", "html com", "no entry", "point method", "code main", "return 0", "code nul", "eturn 0", "noop1", "may be", "used after", "noop2", "literalu0", "is proces", "return 8", "noop5", "nbsp", "noop6", "noop7", "link j0", "javaignorej0", "vimtestsetup s0", "fen 0", "nt 0", "majorversion", "empty string", "rotected 0", "compares this", "instance with", "the pas", "code that", "no period", "for the", "above sum", "rivate 0", "htmlsnip", "return an", "link m0", "execute", "match visual", "fen c0", "ref0", "literals", "clas", "tostring", "start 0", "ostring 0", "replace 0", "ubstring 0", "noop8", "noop9", "markdowncom", "arkdownsnip", "markdown com", "code public", "the method", "must be", "declared", "code 0", "the major", "java version", "used with", "inal 0", "markdownsnip", "blanks and", "re 0", "static void", "param a0", "rgs 0", "optional c0", "arguments 0", "invoke", "nontext 0", "hrow 0", "ew 0", "object module", "object open", "exports opens", "requires", "bject 0", "eplacement 0", "ar 0", "opens", "object opens", "object provides", "object requires", "object to", "uses", "xtends 0", "mplements 0", "ealed 0", "ermits 0", "bstract 0", "c1 i0", "noop3", "noop4", "a sum", "foldingtests", "static", "object b", "escapestests", "static final", "string hel", "har 0", "0ffffff0", "1200", "1210", "1230", "1240", "1250", "1260", "1270", "1300", "1310", "2040", "3240", "0100", "0120", "0130", "0140", "0150", "0160", "0170", "0200", "0210", "0230", "biginteger", "t1 x", "uper 0", "e element", "radix", "ecord 0", "tatic", "t dum", "isempty", "ublic 0", "ase 0", "ong 0", "witch 0", "genericstests", "todo 0", "3400", "3410", "3420", "3430", "3450", "3460", "3470", "3500", "3510", "3520", "sempty", "opal", "opsome", "ushal", "ushsome", "adix", "romdecimal", "lambdaexpres", "leftconst07", "leftconst08", "leftconst09", "i1 0", "leftconst10", "leftconst1", "leftconst01", "leftconst02", "leftconst03", "leftconst04", "leftconst05", "leftconst06", "leftconst", "const1", "const2", "witch", "hen 0", "alpha w0", "beta w0", "equals", "leftconst12", "typearguments", "identifier 0", "nteger", "ashcode", "omparable", "ry 0", "atch 0", "unction", "tring", "length", "ntfunction", "intsup", "clone", "naryoperator", "alueof", "quals", "redicate", "equalist", "gymnastics for", "ipredicate", "superequalist", "ethodhandle", "invokepredicate", "methodhandle mh", "throwable th", "a dum", "b dum", "t extends", "stringer", "ostring", "ntvalue", "onsumer", "println", "uperequalist", "nvokepredicate", "ethodhandle mh", "remember", "num 0", "asci", "stylable", "t e0", "tringer", "ative 0", "ynchronized 0", "trictfp 0", "thread", "qualist", "ransient 0", "methodstests", "string t0", "la s", "string name", "equires 0", "odule 0", "this module", "to the", "sample project", "published at", "mport m0", "related sup", "ransitive 0", "xports 0", "pens 0", "jdk 23", "ses 0", "rovides 0", "ith 0", "doautocmd", "syntax 0", "0xp0", "ouble 0", "minusoned", "xap1", "doto", "numberstests", "ouble", "loat 0", "maxdecf", "maxhexf", "mindecf", "minhexfa", "minhexfb", "maxdecd", "maxhexd", "minhex", "minoct", "minbin", "minusonehex", "minusoneoct", "minusonebin", "maxhexl", "maxoctl", "minusonehexl", "minusoneoctl", "minusonebinl", "jdk 21", "object o", "rue 0", "alse 0", "stringtests", "a quick", "brown fox", "jumps over", "the lazy", "there are", "lf after", "jumps0", "ver the0", "a nested", "string ap", "brown", "jumps", "over the", "nested com", "switchtests", "ield", "a or", "ield 0", "yte 0", "1let", "hort", "hort 0", "nofoldenable 0", "0000 0", "unfoldingtests", "reak 0", "old italic", "s1024", "talic", "inheritdoc", "object ap", "hile 0", "for vim", "file is", "licensed under", "the vim", "license 0", "efinition 0", "rom 0", "predefined", "ype 0", "ointer 0", "il 0", "nter", "ninter", "octal", "pragmas", "with emphasis", "opyright 0", "uthor 0", "fred flintstone", "icense 0", "baz bam", "ispose 0", "oc 0", "ord 0", "dr 0", "ast 0", "size 0", "rocedure 0", "egin 0", "nd 0", "ixme 0", "eprecated 0", "procedures", "ewfo", "nteger 0", "disabled", "hile fo", "do 0", "while", "synonyms", "itset 0", "roc 0", "roces", "ewproces", "ransfer 0", "ystem 0", "ongcard 0", "bozo bim", "dada jingle", "etbar", "lias 0", "defined pragmas", "numeric", "xcafed0", "inline", "noinline", "implementation", "cho 0", "this for", "done", "is a", "very handy", "solution and", "no real", "replacement", "available", "unction1", "a text", "shel", "his is", "home 0", "ariable10", "this is", "with a", "nset 0", "962 0", "f true", "unab", "abclear 0", "bclear 0", "java module", "changefilename", "restorefilename", "todo highlight", "author", "antonio colombo", "delete", "processing", "hebrew" ], "references": [ "vimrc", "bugreport.vim", "evim.vim", "delmenu.vim", "defaults.vim", "ftplugof.vim", "ftoff.vim", "gvim.desktop", "ftplugin.vim", "gvimrc_example.vim", "indent.vim", "indoff.vim", "mswin.vim", "scripts.vim", "optwin.vim", "vim.desktop", "menu.vim", "vimrc_example.vim", "synmenu.vim", "filetype.vim", "Make_mvc.mak", "Make_all.mak", "README.ru.utf-8.txt", "README.txt", "tutor", "tutor.bar.utf-8", "tutor.ca.utf-8", "tutor.bg.utf-8", "tutor.cs.utf-8", "tutor.da.utf-8", "tutor.de.utf-8", "tutor.el.utf-8", "tutor.eo.utf-8", "tutor.es.utf-8", "tutor.fr.utf-8", "tutor.hr.utf-8", "tutor.ja.utf-8", "tutor.hu.utf-8", "tutor.it.utf-8", "tutor.ko", "tutor.ko.utf-8", "tutor.lt.utf-8", "tutor.lv.utf-8", "tutor.nb.utf-8", "tutor.nl.utf-8", "tutor.no.utf-8", "tutor.pt.utf-8", "tutor.pl.utf-8", "tutor.ru.utf-8", "tutor.tr.utf-8", "tutor.sr.utf-8", "tutor.sv.utf-8", "tutor.sk.utf-8", "tutor.vim", "tutor.zh_cn.utf-8", "tutor.utf-8", "tutor.vi.utf-8", "tutor.uk.utf-8", "tutor.zh_tw.utf-8", "tutor.zh.utf-8", "vimspell.txt", "xcmdsrv_client.c", "ref", "vim132", "vimm", "vim_vs_net.cmd", "shtags.1", "unicode.vim", "shtags.pl", "ccfilter_README.txt", "blink.c", "efm_filter.txt", "demoserver.py", "ccfilter.c", "efm_filter.pl", "ccfilter.1", "efm_perl.pl", "pltags.pl", "mve.txt", "emoji_list.vim", "mve.awk", "a65.vim", "aap.vim", "abap.vim", "abc.vim", "abel.vim", "abaqus.vim", "acedb.vim", "a2ps.vim", "ada.vim", "ahdl.vim", "8th.vim", "aflex.vim", "aidl.vim", "2html.vim", "alsaconf.vim", "amiga.vim", "ampl.vim", "antlr4.vim", "apachestyle.vim", "apache.vim", "antlr.vim", "ant.vim", "aml.vim", "arch.vim", "aptconf.vim", "arduino.vim", "art.vim", "asm.vim", "asciidoc.vim", "asn.vim", "aspperl.vim", "asm68k.vim", "aspvbs.vim", "asteriskvm.vim", "atlas.vim", "asy.vim", "autodoc.vim", "autohotkey.vim", "autoit.vim", "automake.vim", "ave.vim", "asmh8300.vim", "avra.vim", "awk.vim", "astro.vim", "ayacc.vim", "asterisk.vim", "bash.vim", "b.vim", "bdf.vim", "bib.vim", "basic.vim", "bindzone.vim", "bc.vim", "blank.vim", "bitbake.vim", "bsdl.vim", "bst.vim", "bzl.vim", "btm.vim", "bzr.vim", "baan.vim", "cabal.vim", "cabalconfig.vim", "cabalproject.vim", "c.vim", "catalog.vim", "cdl.vim", "cdrdaoconf.vim", "cfg.vim", "cgdbrc.vim", "cf.vim", "cdrtoc.vim", "ch.vim", "chaiscript.vim", "change.vim", "chaskell.vim", "changelog.vim", "chatito.vim", "cheetah.vim", "chicken.vim", "chordpro.vim", "chill.vim", "calendar.vim", "chuck.vim", "clean.vim", "clipper.vim", "cmakecache.vim", "cl.vim", "cmod.vim", "cmusrc.vim", "coco.vim", "colortest.vim", "clojure.vim", "conf.vim", "config.vim", "confini.vim", "conaryrecipe.vim", "crm.vim", "cmake.vim", "crontab.vim", "cpp.vim", "context.vim", "csc.vim", "csh.vim", "cs.vim", "csp.vim", "csv.vim", "cterm.vim", "csdl.vim", "cobol.vim", "ctrlh.vim", "css.vim", "cuda.vim", "cuplsim.vim", "cvs.vim", "cweb.vim", "cvsrc.vim", "cucumber.vim", "cupl.vim", "cynpp.vim", "cynlib.vim", "deb822sources.vim", "dcd.vim", "d.vim", "dcl.vim", "dart.vim", "debchangelog.vim", "debcontrol.vim", "datascript.vim", "debcopyright.vim", "def.vim", "dep3patch.vim", "denyhosts.vim", "debsources.vim", "desc.vim", "dictconf.vim", "dictdconf.vim", "diff.vim", "dircolors.vim", "dirpager.vim", "diva.vim", "desktop.vim", "django.vim", "dns.vim", "docbksgml.vim", "docbkxml.vim", "docbk.vim", "dockerfile.vim", "dosbatch.vim", "dosini.vim", "dot.vim", "dracula.vim", "dsl.vim", "dtml.vim", "doxygen.vim", "dts.vim", "dtrace.vim", "dtd.vim", "dune.vim", "dylanintr.vim", "dylanlid.vim", "dylan.vim", "dnsmasq.vim", "editorconfig.vim", "edif.vim", "ecd.vim", "elmfilt.vim", "elf.vim", "elinks.vim", "eiffel.vim", "elm.vim", "erlang.vim", "esmtprc.vim", "esqlc.vim", "esterel.vim", "euphoria3.vim", "eterm.vim", "eruby.vim", "euphoria4.vim", "exim.vim", "expect.vim", "exports.vim", "eviews.vim", "fasm.vim", "fdcc.vim", "falcon.vim", "fan.vim", "fetchmail.vim", "fgl.vim", "fish.vim", "flexwiki.vim", "focexec.vim", "fpcmake.vim", "forth.vim", "form.vim", "framescript.vim", "foxpro.vim", "fortran.vim", "freebasic.vim", "fvwm2m4.vim", "fstab.vim", "fvwm.vim", "gdmo.vim", "gdresource.vim", "gdb.vim", "gemtext.vim", "gdshader.vim", "git.vim", "gift.vim", "gedcom.vim", "gdscript.vim", "gitattributes.vim", "gitcommit.vim", "gitconfig.vim", "gitignore.vim", "gitolite.vim", "gitrebase.vim", "gitsendemail.vim", "gkrellmrc.vim", "goaccess.vim", "glsl.vim", "godoc.vim", "go.vim", "gnuplot.vim", "gp.vim", "gpg.vim", "gprof.vim", "gretl.vim", "grads.vim", "gnash.vim", "groff.vim", "grub.vim", "groovy.vim", "gtkrc.vim", "group.vim", "gyp.vim", "gsp.vim", "gvpr.vim", "update_date.vim", "README.md", "gen_syntax_vim.vim", "vim.vim.base", "haml.vim", "hamster.vim", "hare.vim", "haredoc.vim", "haste.vim", "haskell.vim", "hastepreproc.vim", "hb.vim", "hcl.vim", "help_ru.vim", "hex.vim", "help.vim", "hercules.vim", "hgcommit.vim", "hitest.vim", "hlsplaylist.vim", "hog.vim", "hostsaccess.vim", "hostconf.vim", "htmlcheetah.vim", "htmlangular.vim", "html.vim", "htmlm4.vim", "htmlos.vim", "htmldjango.vim", "i3config.vim", "ia64.vim", "ibasic.vim", "icemenu.vim", "idlang.vim", "idl.vim", "icon.vim", "initex.vim", "initng.vim", "ipfilter.vim", "inittab.vim", "inform.vim", "j.vim", "iss.vim", "ishd.vim", "jal.vim", "ist.vim", "jam.vim", "jargon.vim", "javascript.vim", "javascriptreact.vim", "java.vim", "jinja.vim", "jess.vim", "jgraph.vim", "javacc.vim", "jq.vim", "jsp.vim", "json.vim", "jsonc.vim", "json5.vim", "kconfig.vim", "julia.vim", "kdl.vim", "kotlin.vim", "kix.vim", "kwt.vim", "krl.vim", "kscript.vim", "kivy.vim", "lace.vim", "latte.vim", "lc.vim", "ld.vim", "ldapconf.vim", "iso.vim", "pim.vim", "r10.vim", "ldif.vim", "less.vim", "lftp.vim", "lhaskell.vim", "libao.vim", "lex.vim", "lifelines.vim", "liquid.vim", "limits.vim", "lilo.vim", "lite.vim", "livebook.vim", "lisp.vim", "litestep.vim", "lotos.vim", "loginaccess.vim", "logtalk.vim", "logindefs.vim", "lout.vim", "lprolog.vim", "lpc.vim", "lsl.vim", "lscript.vim", "lss.vim", "luau.vim", "lua.vim", "lynx.vim", "lyrics.vim", "m3quake.vim", "m3build.vim", "m4.vim", "mailaliases.vim", "mail.vim", "mailcap.vim", "mallard.vim", "make.vim", "manual.vim", "manconf.vim", "mason.vim", "masm.vim", "maple.vim", "master.vim", "matlab.vim", "maxima.vim", "mermaid.vim", "meson.vim", "mediawiki.vim", "messages.vim", "mel.vim", "man.vim", "markdown.vim", "mf.vim", "mgp.vim", "mgl.vim", "mib.vim", "mix.vim", "mmix.vim", "mmp.vim", "modconf.vim", "model.vim", "mma.vim", "modula2.vim", "modula3.vim", "moo.vim", "mojo.vim", "monk.vim", "mp.vim", "mplayerconf.vim", "mrxvtrc.vim", "msmessages.vim", "msidl.vim", "msql.vim", "modsim3.vim", "murphi.vim", "mush.vim", "mupad.vim", "muttrc.vim", "mysql.vim", "named.vim", "nanorc.vim", "nastran.vim", "n1ql.vim", "natural.vim", "nasm.vim", "ncf.vim", "netrc.vim", "netrw.vim", "ninja.vim", "nix.vim", "nosyntax.vim", "nroff.vim", "neomuttrc.vim", "nsis.vim", "nqc.vim", "nginx.vim", "obj.vim", "objcpp.vim", "odin.vim", "occam.vim", "omnimark.vim", "ocaml.vim", "ondir.vim", "objc.vim", "openscad.vim", "openroad.vim", "opl.vim", "openvpn.vim", "obse.vim", "opam.vim", "pamenv.vim", "pacmanlog.vim", "ora.vim", "pamconf.vim", "pandoc.vim", "papp.vim", "pcap.vim", "pbtxt.vim", "pascal.vim", "passwd.vim", "pccts.vim", "pf.vim", "phtml.vim", "perl.vim", "pic.vim", "pdf.vim", "pilrc.vim", "pfmain.vim", "pike.vim", "pine.vim", "pinfo.vim", "plaintex.vim", "php.vim", "plm.vim", "plp.vim", "pli.vim", "pod.vim", "poefilter.vim", "po.vim", "ppd.vim", "pov.vim", "povini.vim", "ppwiz.vim", "plsql.vim", "prescribe.vim", "procmail.vim", "privoxy.vim", "prolog.vim", "promela.vim", "postscr.vim", "protocols.vim", "proto.vim", "psf.vim", "psl.vim", "ps1.vim", "purifylog.vim", "ptcap.vim", "pymanifest.vim", "pyrex.vim", "progress.vim", "python.vim", "python2.vim", "quarto.vim", "qf.vim", "quake.vim", "qb64.vim", "r.vim", "qml.vim", "radiance.vim", "racc.vim", "racket.vim", "raml.vim", "rasi.vim", "rc.vim", "ratpoison.vim", "rapid.vim", "raku.vim", "rcslog.vim", "rcs.vim", "rebol.vim", "readline.vim", "registry.vim", "rego.vim", "remind.vim", "requirements.vim", "reva.vim", "resolv.vim", "rhelp.vim", "rexx.vim", "rnc.vim", "rng.vim", "rnoweb.vim", "rib.vim", "redif.vim", "rrst.vim", "rpcgen.vim", "routeros.vim", "rpl.vim", "rmd.vim", "rtf.vim", "rst.vim", "salt.vim", "robots.vim", "samba.vim", "ruby.vim", "sas.vim", "sass.vim", "rust.vim", "sbt.vim", "scdoc.vim", "sather.vim", "scilab.vim", "scala.vim", "scheme.vim", "screen.vim", "scss.vim", "sd.vim", "sdc.vim", "sdl.vim", "sensors.vim", "sed.vim", "services.vim", "sendpr.vim", "setserial.vim", "sexplib.vim", "sgmldecl.vim", "sgmllnx.vim", "sh.vim", "sgml.vim", "context-data-metafun.vim", "context-data-tex.vim", "hgcommitDiff.vim", "context-data-context.vim", "context-data-interfaces.vim", "debversions.vim", "typescriptcommon.vim", "sicad.vim", "sil.vim", "simula.vim", "sinda.vim", "sindacmp.vim", "sindaout.vim", "sieve.vim", "skill.vim", "sl.vim", "sisu.vim", "slang.vim", "slpconf.vim", "slpreg.vim", "slpspi.vim", "slrnsc.vim", "sm.vim", "smarty.vim", "slice.vim", "smcl.vim", "smith.vim", "smil.vim", "sml.vim", "snnsnet.vim", "snnspat.vim", "slrnrc.vim", "snobol4.vim", "solidity.vim", "spice.vim", "splint.vim", "spec.vim", "specman.vim", "spyce.vim", "spup.vim", "snnsres.vim", "sql.vim", "sqlforms.vim", "sqlj.vim", "sqlhana.vim", "sqlinformix.vim", "sqlanywhere.vim", "sqloracle.vim", "srec.vim", "sqr.vim", "squirrel.vim", "squid.vim", "srt.vim", "ssa.vim", "st.vim", "sshconfig.vim", "sshdconfig.vim", "stp.vim", "stata.vim", "strace.vim", "structurizr.vim", "stylus.vim", "sudoers.vim", "swift.vim", "swig.vim", "swiftgyb.vim", "swayconfig.vim", "syncolor.vim", "svn.vim", "synload.vim", "sysctl.vim", "systemverilog.vim", "tads.vim", "tags.vim", "tak.vim", "takcmp.vim", "takout.vim", "tar.vim", "taskdata.vim", "taskedit.vim", "tap.vim", "tasm.vim", "svg.vim", "syntax.vim", "template.vim", "tcsh.vim", "teraterm.vim", "terminfo.vim", "terraform.vim", "systemd.vim", "tcl.vim", "tssgm.vim", "typescript.vim", "tsv.vim", "tt2js.vim", "tssop.vim", "typescriptreact.vim", "tt2.vim", "tt2html.vim", "uc.vim", "uci.vim", "typst.vim", "udevconf.vim", "udevperm.vim", "uil.vim", "unison.vim", "updatedb.vim", "upstart.vim", "upstreamdat.vim", "upstreaminstalllog.vim", "upstreamlog.vim", "upstreamrpt.vim", "usw2kagtlog.vim", "urlshortcut.vim", "udevrules.vim", "valgrind.vim", "vdf.vim", "vb.vim", "verilogams.vim", "vera.vim", "vhdl.vim", "viminfo.vim", "verilog.vim", "voscm.vim", "vmasm.vim", "virata.vim", "vim.vim", "vrml.vim", "vgrindefs.vim", "usserverlog.vim", "c.c", "html.html", "java_comments_markdown.java", "java_annotations_signature.java", "java_comments.java", "java_enfoldment.java", "java_escapes.java", "java_generics_signature.java", "java_generics.java", "java_contextual_keywords.java", "java_lambda_expressions_signature.java", "java_annotations.java", "java_lambda_expressions.java", "java_method_references_signature.java", "java_methods_indent4.java", "java_methods_indent2.java", "java_methods_indent4_signature.java", "java_methods_indent2_signature.java", "java_methods_indent8_signature.java", "java_methods_style.java", "java_module_info.java", "java_methods_style_signature.java", "java_numbers.java", "java_previews_430.java", "java_string.java", "java_previews_455.java", "java_switch.java", "java_methods_indent8.java", "java_unfoldment.java", "markdown_conceal.markdown", "modula2_pim.def", "modula2_iso.def", "modula2_r10.def", "progress_comments.p", "sh_02.sh", "sh_01.sh", "sh_04.sh", "sh_03.sh", "sh_05.sh", "sh_07.sh", "sh_09.sh", "sh_08.sh", "sh_10.sh", "sh_11.sh", "vim_ex_abbreviate.vim", "vim_ex_behave.vim", "vim_ex_call.vim", "vim_ex_catch.vim", "sh_06.sh", "vim_ex_command.vim", "vim_ex_comment_strings.vim", "vim_ex_comment-vim9.vim", "vim_ex_comment.vim", "vim_ex_augroup.vim", "vim_ex_commands.vim", "vim_ex_def_nested.vim", "vim_ex_def_nested_fold.vim", "vim_ex_def_fold.vim", "vim_ex_def.vim", "vim_ex_echo.vim", "vim_ex_execute.vim", "vim_ex_function_def_tail_comment_errors.vim", "vim_ex_function_def_tail_comments.vim", "vim_ex_function_nested_fold.vim", "vim_ex_function_nested.vim", "vim_ex_function_fold.vim", "vim_ex_highlight.vim", "vim_ex_let_heredoc.vim", "vim_ex_loadkeymap_after_bar.vim", "vim_ex_loadkeymap_after_colon.vim", "vim_ex_map.vim", "vim_ex_function.vim", "vim_ex_menu.vim", "vim_ex_menutranslate.vim", "vim_ex_no_comment_strings.vim", "vim_ex_match.vim", "vim_ex_range.vim", "vim_ex_set.vim", "vim_ex_sleep.vim", "vim_ex_substitute.vim", "vim_ex_throw.vim", "vim_keymap.vim", "vim_ex_syntax.vim", "vim_key_notation.vim", "vim_line_continuation.vim", "vim_expr.vim", "vim_new.vim", "vim_shebang.vim", "vim_object_methods.vim", "vim_variables.vim", "vim9_ex_comment_strings.vim", "vim9_ex_commands.vim", "vim9_ex_no_comment_strings.vim", "vim9_ex_function_def_tail_comments.vim", "vim9_expr.vim", "vim9_keymap.vim", "vim9_ex_function_def_tail_comment_errors.vim", "vim9_legacy_header_fold.vim", "vim9_legacy_header.vim", "vim9_shebang.vim", "yaml.yaml", "dots_03", "dots_05", "dots_02", "dots_04", "dots_01", "dots_06", "dots_08", "dots_09", "dots_10", "dots_07", "dots_11", "dots_12", "dots_14", "dots_13", "dots_15", "dots_16", "dots_17", "dots_18", "dots_19", "dots_20", "html_00.dump", "html_03.dump", "html_05.dump", "html_04.dump", "html_06.dump", "html_02.dump", "html_01.dump", "html_07.dump", "html_08.dump", "java_annotations_01.dump", "java_annotations_00.dump", "java_annotations_02.dump", "java_annotations_03.dump", "java_annotations_04.dump", "java_annotations_signature_00.dump", "java_annotations_signature_02.dump", "java_annotations_signature_01.dump", "java_annotations_signature_03.dump", "java_annotations_signature_04.dump", "java_comments_html_01.dump", "java_comments_html_02.dump", "java_comments_html_03.dump", "java_comments_html_00.dump", "java_comments_html_04.dump", "java_comments_html_05.dump", "java_comments_markdown_00.dump", "java_comments_html_07.dump", "java_comments_markdown_03.dump", "java_comments_markdown_01.dump", "java_comments_html_06.dump", "java_comments_markdown_04.dump", "java_comments_markdown_02.dump", "java_comments_markdown_05.dump", "java_comments_markdown_06.dump", "java_comments_markdown_07.dump", "java_contextual_keywords_00.dump", "java_comments_markdown_08.dump", "java_contextual_keywords_01.dump", "java_contextual_keywords_02.dump", "java_enfoldment_01.dump", "java_contextual_keywords_03.dump", "java_enfoldment_00.dump", "java_enfoldment_02.dump", "java_escapes_00.dump", "java_escapes_01.dump", "java_escapes_03.dump", "java_escapes_05.dump", "java_escapes_07.dump", "java_escapes_02.dump", "java_escapes_06.dump", "java_generics_01.dump", "java_generics_03.dump", "java_generics_02.dump", "java_generics_04.dump", "java_generics_05.dump", "java_generics_07.dump", "java_generics_00.dump", "java_generics_06.dump", "java_escapes_04.dump", "java_generics_signature_00.dump", "java_generics_signature_01.dump", "java_generics_signature_02.dump", "java_generics_signature_03.dump", "java_generics_signature_04.dump", "java_generics_signature_05.dump", "java_generics_signature_07.dump", "java_generics_signature_06.dump", "java_lambda_expressions_00.dump", "java_lambda_expressions_01.dump", "java_lambda_expressions_03.dump", "java_lambda_expressions_02.dump", "java_lambda_expressions_04.dump", "java_lambda_expressions_05.dump", "java_lambda_expressions_06.dump", "java_lambda_expressions_07.dump", "java_lambda_expressions_08.dump", "java_lambda_expressions_signature_00.dump", "java_lambda_expressions_signature_01.dump", "java_lambda_expressions_signature_02.dump", "java_lambda_expressions_signature_03.dump", "java_lambda_expressions_signature_04.dump", "java_lambda_expressions_signature_05.dump", "java_lambda_expressions_signature_06.dump", "java_lambda_expressions_signature_07.dump", "java_lambda_expressions_signature_08.dump", "java_method_references_00.dump", "java_method_references_01.dump", "java_method_references_03.dump", "java_method_references_04.dump", "java_method_references_06.dump", "java_method_references_05.dump", "java_method_references_07.dump", "java_method_references_08.dump", "java_method_references_09.dump", "java_method_references_10.dump", "java_method_references_signature_00.dump", "java_method_references_signature_01.dump", "java_method_references_02.dump", "java_method_references_signature_02.dump", "java_method_references_signature_03.dump", "java_method_references_signature_04.dump", "java_method_references_signature_05.dump", "java_method_references_signature_07.dump", "java_method_references_signature_08.dump", "java_method_references_signature_09.dump", "java_methods_indent2_00.dump", "java_methods_indent2_00.vim", "java_methods_indent2_01.dump", "java_methods_indent2_01.vim", "java_methods_indent2_02.dump", "java_methods_indent2_02.vim", "java_method_references_signature_10.dump", "java_methods_indent2_03.vim", "java_methods_indent2_03.dump", "java_methods_indent2_04.dump", "java_methods_indent2_04.vim", "java_methods_indent2_05.dump", "java_methods_indent2_05.vim", "java_method_references_signature_06.dump", "java_methods_indent2_signature_00.vim", "java_methods_indent2_signature_01.dump", "java_methods_indent2_signature_01.vim", "java_methods_indent2_signature_02.dump", "java_methods_indent2_signature_02.vim", "java_methods_indent2_signature_03.dump", "java_methods_indent2_signature_03.vim", "java_methods_indent2_signature_04.dump", "java_methods_indent2_signature_04.vim", "java_methods_indent2_signature_05.dump", "java_methods_indent2_signature_05.vim", "java_methods_indent4_00.vim", "java_methods_indent4_01.vim", "java_methods_indent4_01.dump", "java_methods_indent4_02.dump", "java_methods_indent2_signature_00.dump", "java_methods_indent4_02.vim", "java_methods_indent4_03.vim", "java_methods_indent4_03.dump", "java_methods_indent4_04.dump", "java_methods_indent4_04.vim", "java_methods_indent4_05.dump", "java_methods_indent4_06.dump", "java_methods_indent4_05.vim", "java_methods_indent4_signature_00.dump", "java_methods_indent4_signature_01.dump", "java_methods_indent4_signature_01.vim", "java_methods_indent4_signature_02.dump", "java_methods_indent4_signature_02.vim", "java_methods_indent4_signature_03.dump", "java_methods_indent4_signature_03.vim", "java_methods_indent4_signature_04.dump", "java_methods_indent4_signature_04.vim", "java_methods_indent4_signature_05.dump", "java_methods_indent4_signature_05.vim", "java_methods_indent8_00.dump", "java_methods_indent4_signature_06.dump", "java_methods_indent8_00.vim", "java_methods_indent8_01.dump", "java_methods_indent8_01.vim", "java_methods_indent4_signature_00.vim", "java_methods_indent8_02.dump", "java_methods_indent8_02.vim", "java_methods_indent8_03.dump", "java_methods_indent8_03.vim", "java_methods_indent8_04.dump", "java_methods_indent8_05.dump", "java_methods_indent8_06.dump", "java_methods_indent8_05.vim", "java_methods_indent8_signature_00.dump", "java_methods_indent8_signature_01.dump", "java_methods_indent8_signature_01.vim", "java_methods_indent8_signature_02.dump", "java_methods_indent8_signature_02.vim", "java_methods_indent8_signature_00.vim", "java_methods_indent8_signature_03.dump", "java_methods_indent8_signature_03.vim", "java_methods_indent8_signature_04.dump", "java_methods_indent8_signature_04.vim", "java_methods_indent8_signature_05.vim", "java_methods_indent8_signature_05.dump", "java_methods_indent8_signature_06.dump", "java_methods_indent8_signature_06.vim", "java_methods_style_00.dump", "java_methods_style_00.vim", "java_methods_style_01.vim", "java_methods_style_02.vim", "java_methods_indent8_04.vim", "java_methods_style_03.dump", "java_methods_style_04.dump", "java_methods_style_02.dump", "java_methods_style_signature_00.dump", "java_methods_style_signature_00.vim", "java_methods_style_signature_01.vim", "java_methods_style_03.vim", "java_methods_style_signature_02.vim", "java_methods_style_01.dump", "java_methods_style_signature_03.dump", "java_methods_style_signature_03.vim", "java_methods_style_signature_04.dump", "java_methods_style_signature_01.dump", "java_module_info_00.dump", "java_methods_style_04.vim", "java_module_info_01.dump", "java_module_info_02.dump", "java_numbers_01.dump", "java_numbers_02.dump", "java_methods_style_signature_04.vim", "java_numbers_00.dump", "java_numbers_03.dump", "java_numbers_04.dump", "java_numbers_05.dump", "java_previews_430_00.dump", "java_previews_455_00.dump", "java_previews_455_01.dump", "java_previews_455_02.dump", "java_previews_455_03.dump", "java_methods_style_signature_02.dump", "java_methods_indent4_00.dump", "java_string_00.dump", "java_string_01.dump", "java_string_02.dump", "java_string_04.dump", "java_string_03.dump", "java_string_05.dump", "java_switch_00.dump", "java_switch_02.dump", "java_switch_01.dump", "java_switch_04.dump", "java_switch_03.dump", "java_switch_05.dump", "java_switch_07.dump", "java_unfoldment_00.dump", "java_switch_06.dump", "java_unfoldment_01.dump", "java_unfoldment_05.dump", "java_unfoldment_02.dump", "markdown_conceal_00.dump", "java_unfoldment_03.dump", "modula2_iso_00.dump", "modula2_iso_01.dump", "modula2_iso_03.dump", "modula2_iso_02.dump", "modula2_iso_04.dump", "modula2_iso_05.dump", "modula2_pim_00.dump", "modula2_iso_06.dump", "modula2_pim_01.dump", "modula2_pim_02.dump", "modula2_pim_03.dump", "modula2_pim_04.dump", "modula2_pim_06.dump", "modula2_pim_05.dump", "modula2_r10_00.dump", "modula2_r10_03.dump", "sh_07_01.dump", "sh_08_02.dump", "sh_11_00.dump", "vim_ex_abbreviate_01.dump", "vim_ex_command_00.dump", "java_module_info.vim", "markdown_conceal.vim", "cleanadd.vim", "yi.vim", "he.vim" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Esc", "display_name": "Esc", "target": null }, { "id": "SelectAll", "display_name": "SelectAll", "target": null }, { "id": "Vim Tutor", "display_name": "Vim Tutor", "target": null }, { "id": "Todo", "display_name": "Todo", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "email": 520, "hostname": 407, "URL": 1044, "FileHash-SHA1": 4, "domain": 244, "FileHash-SHA256": 291 }, "indicator_count": 2511, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d95bd10bfcc8c3dd66a44d", "name": "Qbot ", "description": "", "modified": "2024-09-05T09:51:10.113000", "created": "2024-09-05T07:20:49.138000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4091, "hostname": 2422, "URL": 3167, "FileHash-MD5": 1424, "FileHash-SHA1": 983, "FileHash-SHA256": 3174, "CVE": 10, "email": 25 }, "indicator_count": 15296, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659d6ae800440c0befb47e22", "name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2024-01-09T15:48:56.676000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c045ef15bd06d27da1b08", "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ef8c00492cc6bdaa8b605", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-29T16:50:08.330000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "658dd341d97d04b0253392d4", "export_count": 518, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658dd341d97d04b0253392d4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-28T19:57:53.875000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 522, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657c045ef15bd06d27da1b08", "name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:46:38.664000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657c03432f4f2997c7d3aff4", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657c03432f4f2997c7d3aff4", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-15T07:41:55.972000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": "657ab025b97f20f31bbfcd70", "export_count": 508, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657ab025b97f20f31bbfcd70", "name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch", "description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.", "modified": "2024-01-13T06:01:05.467000", "created": "2023-12-14T07:35:01.537000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb", "whois whois", "whois parent", "glupteba", "setup stub", "c2ae" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2001, "hostname": 3531, "URL": 7519, "FileHash-MD5": 2851, "FileHash-SHA1": 1622, "FileHash-SHA256": 5092, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 22653, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "828 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657aaff046e2083b423a39e2", "name": "Inmortal Invoke-Mimikatz", "description": "Attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life uncomfortable, threaten and cause harm to targets.\nPossible masquerading / DBA as attorney with such illegal behavior.\nMay have been hired to harass and...she is reported dead of suicide morning after reporting harassment. Missouri government is seen throughout as if hired by firm. If this is a true law firm , the corruption is mafia deep. \n\nI'm 24/7 followed. Hacked l, etc. \nVery expensive threat and deliver campaign. Verdict: Digital profile completely destroyed. Lives at risk.", "modified": "2024-01-12T04:02:22.872000", "created": "2023-12-14T07:34:08.701000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "communicating", "referrer", "execution", "tsara brashears", "highly targeted", "njrat", "ransomware", "heodo", "tag count", "thu aug", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "malicious url", "blacklist https", "united", "firehol", "maltiverse", "cyber threat", "control server", "host", "phishing", "engineering", "paypal", "download", "malware", "nanocore rat", "meterpreter", "pony", "facebook", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "cobalt strike", "bank", "zeus", "zbot", "suppobox", "generic", "site", "cisco umbrella", "alexa top", "million", "reverse dns", "general full", "url https", "resource", "protocol h2", "security tls", "software", "get h2", "hash", "main", "search live", "api blog", "docs pricing", "december", "hall render", "advisory", "brochure url", "link url", "linkedin link", "facebook link", "value", "login", "variables", "modernizr", "lsmeta function", "lsoldgsqueue", "de indicators", "domains", "hashes", "copyright", "gmbh version", "no data", "tld count", "urls", "count blacklist", "heur", "html", "site top", "malicious site", "malware site", "riskware", "exploit", "win64", "unsafe", "genkryptik", "artemis", "opencandy", "agent", "dropper", "fakealert", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "mimikatz", "redirector", "deepscan", "iframe", "memscan", "suspicious", "magazine", "applicunwnt", "alexa", "phish", "win32.pdf.alien", "freemake", "webtoolbar", "trojanspy", "label", "input", "form", "button", "render", "articles", "column", "brian", "search", "contact", "span", "accept", "this", "close", "district", "ultimate", "ip address", "blacklist", "covid19", "phishing chase", "windows nt", "khtml", "gecko", "veryhigh", "aes256gcm", "digicert global", "g2 tls", "rsa sha256", "bypass", "formbook", "generic malware", "cutwail", "safe site", "phishing site", "team", "tofsee", "azorult", "service", "runescape", "remcos", "malicious", "miner", "hacktool", "agenttesla", "unknown", "downloader", "trojan", "detplock", "networm", "cryptinject", "beach research", "rms", "redline", "brian sabey", "hallrender.com", "hallrender.com/attorney/brian-sabey", "tulach", "tulach.cc", "mo.gov", "safebae.org", "civicalg.com", "civicalg", "passive dns", "domain", "registrar", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "computer", "company limited", "first", "utc submissions", "submitters", "gti9158", "gti9080l", "gti9128v", "summary iocs", "graph community", "namecheap inc", "cloudflare", "com laude", "ltd dba", "porkbun llc", "ii llc", "csc corporate", "amazon02", "google", "cloudflarenet", "akamaias", "innova co", "indonesia", "level3", "china telecom", "mb setup", "mb opera", "mb qimage", "mb iesettings", "mb super", "optimizer", "premium", "pattern match", "file", "ascii text", "indicator", "jpeg image", "et tor", "known tor", "misc attack", "relayrouter", "general", "hybrid", "local", "click", "strings", "class", "generator", "critical", "error", "traffic", "tor known", "exit", "node tcp", "tor relayrouter", "spammer", "tor exit", "threats et", "node udp", "adware", "quasar rat", "installpack", "xrat", "fusioncore", "union", "raccoon", "metastealer", "xtrat", "blacklist http", "url http", "hijacking", "information", "report spam", "attorney", "trojanx", "zpevdo", "vidar", "agent tesla", "nymaim", "virut", "occamy", "iobit", "sality", "all search", "otx octoseek", "author avatar", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses url", "pulses", "ipv4", "expiration", "no expiration", "iocs", "create new", "site safe", "lovgate", "unruy", "patcher", "nsis", "installcore", "adload", "cve201711882", "sonbokli", "ubot", "hsbc", "uztuby", "malicious host", "microsoft", "psexec", "brontok", "startpage", "keygen", "fareit", "secrisk", "floxif", "threat roundup", "c2 raccoon", "march", "critical risk", "apple phone", "unlocker", "installer", "laplasclipper", "blister", "june", "name verdict", "falcon sandbox", "malware generic", "tue dec", "temp", "mitre att", "ck id", "show technique", "ck matrix", "twitter", "seraph", "bazaloader", "media", "security", "technology", "dns replication", "virustotal", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "verisign", "server", "asia pacific", "data", "whois database", "registrar abuse", "apnic whois", "apnic", "icann whois", "nanjing", "cnnic", "hackers", "virus network", "relacionada", "cyberstalking", "excel", "macros sneaky", "unauthorized", "wannacry kill", "attack", "core", "qakbot", "lumma stealer", "ransomexx", "quasar", "metro", "copy", "project", "cnc server", "proxy", "ramnit", "cl0p", "inmortal", "noname057", "jul jan", "fri jun", "tag tag", "failed_code_integrity_checks", "python_initiated-connection", "powershell_create_scheduled", "creation_of_an_executable_by_an_executable", "botnetwork", "c2", "apple hacking", "government relations", "abuse", "download csv", "json ip", "linkid252669", "adwaresig", "suspected", "filerepmalware", "dapato", "predator", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "mediaget", "softonic", "encpk", "qbot", "kraddare", "dllinject", "driverpack", "genpack", "offercore", "vitzo", "babar", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers", "connection", "pragma", "team malware", "binder", "pykspa", "feodo", "mark", "bomb" ], "references": [ "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "192.124.249.53:80", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "rp.dudaran2.com [routerlogin.net to safebae.org]", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "https://poemhunter.com/tsara-brashears/", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "government.westlaw.com", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "west-sca.duckdns.org", "us-west-2.es.amazonaws.com (pslicorp)", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "www.hallrender.com (malware hosting)", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.dead-speak.com", "www42.jhonisdead.com", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "fakecelebporno.com", "batchcourtexpressservicesqa.westlaw.com", "batchpublicrecords.westlaw.com", "apple-aqo.com (1 DNSPod.net)", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "c.oooooooooo.ga (c.apple.com cdn)", "https://www.anyxxxtube.net/media/favicon/apple", "init.ess.apple.com ( Code Script \u2022 MortalK)", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "https://www.hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WIN32.PDF.Alien", "display_name": "WIN32.PDF.Alien", "target": null }, { "id": "Freemake", "display_name": "Freemake", "target": null }, { "id": "Redirector", "display_name": "Redirector", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "WIN32.PDF.ALIEN", "display_name": "WIN32.PDF.ALIEN", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT", "display_name": "njRAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Invoke-Mimikatz", "display_name": "Invoke-Mimikatz", "target": null }, { "id": "China Telecom", "display_name": "China Telecom", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Sonbokli", "display_name": "Sonbokli", "target": null }, { "id": "Ubot", "display_name": "Ubot", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Uztuby", "display_name": "Uztuby", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Vitzo", "display_name": "Vitzo", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Health" ], "TLP": "white", "cloned_from": null, "export_count": 438, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1995, "hostname": 3222, "URL": 7179, "FileHash-MD5": 2749, "FileHash-SHA1": 1538, "FileHash-SHA256": 4661, "CVE": 24, "email": 9, "CIDR": 4 }, "indicator_count": 21381, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "829 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654e469fbf2e1c732bbeb7a3", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76\n\nAllows bad actor to alter diagnosis without physician override or documentation of.", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:05:03.947000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654e46130211d24d7f9ef311", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:43.841000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654e46078568d62bc323e093", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:31.518000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654971c396ca4306a6534b12", "name": "njRAT| BazarLoader| Daekside2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "CNC, botnetwork, malware attacks, malvertizing, remote attacks, decryption, device stalking, ' has own property call command', illegal service interference, teen and adult content, cyber stalking, password cracking. Intimidation, harassment , threatening, libel , cybercrime hacking, defacement", "modified": "2023-12-06T21:03:06.189000", "created": "2023-11-06T23:07:46.880000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 140, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4018, "hostname": 2152, "URL": 2105, "FileHash-MD5": 1223, "FileHash-SHA1": 783, "FileHash-SHA256": 2789, "CVE": 9, "email": 25 }, "indicator_count": 13104, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a552ac0b6570454709f7", "name": "Kelowna detachment - British Columbia (Pulse created by ellenmmm)", "description": "", "modified": "2023-12-06T16:46:09.708000", "created": "2023-12-06T16:46:09.708000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1349, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1401, "email": 62, "domain": 1237, "CIDR": 8 }, "indicator_count": 11592, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a458c9934c2c2387556a", "name": "", "description": "", "modified": "2023-12-06T16:42:00.798000", "created": "2023-12-06T16:42:00.798000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a45205d13649df0844ba", "name": "iOS Hacktool Actively exploited", "description": "", "modified": "2023-12-06T16:41:54.157000", "created": "2023-12-06T16:41:54.157000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a44bb1c37c78fb86e09d", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:41:47.803000", "created": "2023-12-06T16:41:47.803000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a441d4e3eae9a6de91dd", "name": "Apple iOS - COBALT STRIKE", "description": "", "modified": "2023-12-06T16:41:37.067000", "created": "2023-12-06T16:41:37.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a43affc51769be1188f9", "name": "Apple exploit targets private citizen. Actively exploited.", "description": "", "modified": "2023-12-06T16:41:30.939000", "created": "2023-12-06T16:41:30.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a434c72e0d41666e0b43", "name": "Targetes iOS Apple Exploit \u2022 Where is Citizens Lab? Apple? This has roots.", "description": "", "modified": "2023-12-06T16:41:24.547000", "created": "2023-12-06T16:41:24.547000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a42c670fdf66b4af46df", "name": "Crimson Apple", "description": "", "modified": "2023-12-06T16:41:16.304000", "created": "2023-12-06T16:41:16.304000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4250011524abcdf1be0", "name": "Apple Tracking \u2022 Remote Access", "description": "", "modified": "2023-12-06T16:41:09.398000", "created": "2023-12-06T16:41:09.398000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a41e852f6b1b04648d44", "name": "Apple iOS Remote Access", "description": "", "modified": "2023-12-06T16:41:02.718000", "created": "2023-12-06T16:41:02.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4161da64500aa609121", "name": "Major Apple Exploit", "description": "", "modified": "2023-12-06T16:40:54.425000", "created": "2023-12-06T16:40:54.425000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a40e62ca90307d3ed7a3", "name": "Major Apple Exploit", "description": "", "modified": "2023-12-06T16:40:46.173000", "created": "2023-12-06T16:40:46.173000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709fb3b919327802eaa6c5", "name": "Kelowna detachment - British Columbia", "description": "", "modified": "2023-12-06T16:22:11.032000", "created": "2023-12-06T16:22:11.032000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1349, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1401, "email": 62, "domain": 1237, "CIDR": 8 }, "indicator_count": 11592, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c8a9635f156e79238f1", "name": "intel gained from a spam text", "description": "", "modified": "2023-12-06T15:00:26.727000", "created": "2023-12-06T15:00:26.727000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 823, "domain": 717, "URL": 2245, "hostname": 615, "email": 4, "FileHash-MD5": 5, "FileHash-SHA1": 1 }, "indicator_count": 4411, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c534aadf7adf4f27d77", "name": "enom.com & 4vendeta.com - ReduceRight malware hosting/creation", "description": "", "modified": "2023-12-06T14:59:31.122000", "created": "2023-12-06T14:59:31.122000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 302, "domain": 634, "URL": 2988, "hostname": 1208 }, "indicator_count": 5132, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c0f5981b6d81d0fa423", "name": "data102 and colohouse. Malware hosting", "description": "", "modified": "2023-12-06T14:58:23.206000", "created": "2023-12-06T14:58:23.206000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 458, "domain": 557, "URL": 2599, "hostname": 952 }, "indicator_count": 4566, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708bae2f0c59d34f050b9e", "name": "Malware and bots", "description": "", "modified": "2023-12-06T14:56:46.779000", "created": "2023-12-06T14:56:46.779000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 168, "hostname": 427, "domain": 214, "URL": 1188, "FileHash-MD5": 1, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 2000, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6546cf78627adef6562a97aa", "name": "Browser Malware Attack", "description": "Attacking my browser to identify.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "modified": "2023-12-04T22:00:43.514000", "created": "2023-11-04T23:10:48.676000", "tags": [ "united", "facebook", "phishtank", "detection list", "ip address", "blacklist", "paypal", "cisco umbrella", "site", "alexa top", "safe site", "million", "malicious url", "malware site", "malicious site", "malware", "name verdict", "falcon sandbox", "reports no", "speci", "efr1", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "et tor", "known tor", "relayrouter", "date", "unknown", "general", "hybrid", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "phishing site", "heur", "cyber threat", "unsafe", "riskware", "phishing", "bank", "service", "artemis", "team", "xtrat", "agent", "xrat", "filetour", "exploit", "conduit", "opencandy", "fusioncore", "orkut", "steam", "genkryptik", "runescape", "presenoker", "ramnit", "msil", "crack", "tofsee", "suppobox", "malicious", "simda", "vawtrak", "hotmail", "generic", "webtoolbar", "hsbc", "maltiverse", "ip summary", "url summary", "summary", "sample", "samples", "count blacklist", "tag count", "downldr", "cleaner", "iframe", "wacatac", "alexa", "win64", "swrort", "installcore", "azorult", "download", "blacknet rat", "stealer", "softcnapp", "nircmd", "unruy", "patcher", "adload", "dropper", "installpack", "tiggre", "gamehack", "trojanspy", "germany http", "attacker", "static engine", "internet storm", "center", "passive dns", "urls", "scan endpoints", "all search", "otx scoreblue", "url http", "pulse pulses", "http", "related nids" ], "references": [ "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "object.prototype.hasownproperty.call", "hasownproperty.call", "a.default.meta.applestore.id", "applestore.id", "http://decafsmob.this.id", "id.google.com", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://git.io/yBU2rg", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "http://tracking.3061331.corn10wuk.club", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "apps.apple.com/us/app/id$", "t.name", "http://e.id?e.id:e.id.getAttribute", "location.search", "https://dnsorangetel.dn2.n-helix.com", "1080p-torrent.ml", "states.app", "dev-2.ernestatech.com", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "209.85.145.113 [malware]", "cdn.fuckporntube.com", "www.search.app.goo.gl", "apps.apple.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "globalworker1.sol.us", "worker-m-tlcus1.sol.us" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Ireland", "Singapore" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1015, "hostname": 1309, "FileHash-MD5": 466, "FileHash-SHA1": 255, "FileHash-SHA256": 3783, "URL": 4001, "CVE": 9, "email": 3 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "867 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6546d0120a7e479fecffe2b1", "name": "Browser Malware Attack", "description": "Attacking browser to identify researcher.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "modified": "2023-12-04T22:00:43.514000", "created": "2023-11-04T23:13:21.883000", "tags": [ "united", "facebook", "phishtank", "detection list", "ip address", "blacklist", "paypal", "cisco umbrella", "site", "alexa top", "safe site", "million", "malicious url", "malware site", "malicious site", "malware", "name verdict", "falcon sandbox", "reports no", "speci", "efr1", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "et tor", "known tor", "relayrouter", "date", "unknown", "general", "hybrid", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "phishing site", "heur", "cyber threat", "unsafe", "riskware", "phishing", "bank", "service", "artemis", "team", "xtrat", "agent", "xrat", "filetour", "exploit", "conduit", "opencandy", "fusioncore", "orkut", "steam", "genkryptik", "runescape", "presenoker", "ramnit", "msil", "crack", "tofsee", "suppobox", "malicious", "simda", "vawtrak", "hotmail", "generic", "webtoolbar", "hsbc", "maltiverse", "ip summary", "url summary", "summary", "sample", "samples", "count blacklist", "tag count", "downldr", "cleaner", "iframe", "wacatac", "alexa", "win64", "swrort", "installcore", "azorult", "download", "blacknet rat", "stealer", "softcnapp", "nircmd", "unruy", "patcher", "adload", "dropper", "installpack", "tiggre", "gamehack", "trojanspy", "germany http", "attacker", "static engine", "internet storm", "center", "passive dns", "urls", "scan endpoints", "all search", "otx scoreblue", "url http", "pulse pulses", "http", "related nids" ], "references": [ "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "object.prototype.hasownproperty.call", "hasownproperty.call", "a.default.meta.applestore.id", "applestore.id", "http://decafsmob.this.id", "id.google.com", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://git.io/yBU2rg", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "http://tracking.3061331.corn10wuk.club", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "apps.apple.com/us/app/id$", "t.name", "http://e.id?e.id:e.id.getAttribute", "location.search", "https://dnsorangetel.dn2.n-helix.com", "1080p-torrent.ml", "states.app", "dev-2.ernestatech.com", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "209.85.145.113 [malware]", "cdn.fuckporntube.com", "www.search.app.goo.gl", "apps.apple.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "globalworker1.sol.us", "worker-m-tlcus1.sol.us" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Ireland", "Singapore" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1015, "hostname": 1309, "FileHash-MD5": 466, "FileHash-SHA1": 255, "FileHash-SHA256": 3783, "URL": 4001, "CVE": 9, "email": 3 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "867 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a97db9134b17c1f6d845b", "name": "DeepScan:Generic.Ransom.GandCrab5", "description": "", "modified": "2023-12-02T02:35:07.890000", "created": "2023-12-02T02:35:07.890000", "tags": [ "cisco umbrella", "site", "safe site", "detection list", "blacklist", "million", "malicious url", "maltiverse", "heuristic", "redirme", "exploit", "malware", "team", "microsoft", "urlhttps", "blacklist https", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "hacktool", "arkeistealer", "mail spammer", "united", "germany", "opencandy", "proxy", "firehol", "alexa top", "phishing site", "malicious site", "malware site", "alexa", "phishing", "iframe", "downldr", "agent", "presenoker", "riskware", "unsafe", "artemis", "bank", "cve201711882", "tag count", "cyber threat", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pragma", "contacted urls", "ssl certificate", "whois record", "xmodeargs", "whois whois", "xdpid1203", "xpubid10839", "september", "tsara brashears", "collection", "emotet", "malicious", "critical", "copy", "installer", "banker", "keylogger", "heur", "filerepmetagen", "suspected", "adware", "acint", "nircmd", "swrort", "systweak", "behav", "crack", "tiggre", "genkryptik", "filetour", "cleaner", "conduit", "wacatac", "trojanspy", "webtoolbar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6541df216e018a0bce63e2a3", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2559, "CVE": 6, "FileHash-MD5": 582, "FileHash-SHA1": 353, "FileHash-SHA256": 3232, "hostname": 826, "domain": 206, "URI": 1 }, "indicator_count": 7765, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "870 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6545a25d60272bac5827f2fc", "name": "TrojanSpy", "description": "", "modified": "2023-12-01T04:05:20.963000", "created": "2023-11-04T01:46:05.174000", "tags": [ "cisco umbrella", "site", "safe site", "detection list", "blacklist", "million", "malicious url", "maltiverse", "heuristic", "redirme", "exploit", "malware", "team", "microsoft", "urlhttps", "blacklist https", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "hacktool", "arkeistealer", "mail spammer", "united", "germany", "opencandy", "proxy", "firehol", "alexa top", "phishing site", "malicious site", "malware site", "alexa", "phishing", "iframe", "downldr", "agent", "presenoker", "riskware", "unsafe", "artemis", "bank", "cve201711882", "tag count", "cyber threat", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pragma", "contacted urls", "ssl certificate", "whois record", "xmodeargs", "whois whois", "xdpid1203", "xpubid10839", "september", "tsara brashears", "collection", "emotet", "malicious", "critical", "copy", "installer", "banker", "keylogger", "heur", "filerepmetagen", "suspected", "adware", "acint", "nircmd", "swrort", "systweak", "behav", "crack", "tiggre", "genkryptik", "filetour", "cleaner", "conduit", "wacatac", "trojanspy", "webtoolbar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6541e08c81e836438946bbbf", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2559, "CVE": 6, "FileHash-MD5": 582, "FileHash-SHA1": 353, "FileHash-SHA256": 3232, "hostname": 826, "domain": 206, "URI": 1 }, "indicator_count": 7765, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6543350c86e1299dc78bfa90", "name": "this dick", "description": "", "modified": "2023-12-01T04:05:20.963000", "created": "2023-11-02T05:35:08.226000", "tags": [ "cisco umbrella", "site", "safe site", "detection list", "blacklist", "million", "malicious url", "maltiverse", "heuristic", "redirme", "exploit", "malware", "team", "microsoft", "urlhttps", "blacklist https", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "hacktool", "arkeistealer", "mail spammer", "united", "germany", "opencandy", "proxy", "firehol", "alexa top", "phishing site", "malicious site", "malware site", "alexa", "phishing", "iframe", "downldr", "agent", "presenoker", "riskware", "unsafe", "artemis", "bank", "cve201711882", "tag count", "cyber threat", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pragma", "contacted urls", "ssl certificate", "whois record", "xmodeargs", "whois whois", "xdpid1203", "xpubid10839", "september", "tsara brashears", "collection", "emotet", "malicious", "critical", "copy", "installer", "banker", "keylogger", "heur", "filerepmetagen", "suspected", "adware", "acint", "nircmd", "swrort", "systweak", "behav", "crack", "tiggre", "genkryptik", "filetour", "cleaner", "conduit", "wacatac", "trojanspy", "webtoolbar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6541df216e018a0bce63e2a3", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Nicholus33", "id": "76046", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2559, "CVE": 6, "FileHash-MD5": 582, "FileHash-SHA1": 353, "FileHash-SHA256": 3232, "hostname": 826, "domain": 207, "URI": 1 }, "indicator_count": 7766, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6541e08c81e836438946bbbf", "name": "TrojanSpy", "description": "Malicious redirect. Targets individual.\n{*https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic\n*Redirects to: https://login.microsoftonline.com/jsdisabled}\n(AUTO POPULATED: A full list of findings from the Maltiverse Research Team on Malware and Exploit, as compiled by the National Security Agency (NSA), has been published on the website of Microsoft's website.)", "modified": "2023-12-01T04:05:20.963000", "created": "2023-11-01T05:22:20.519000", "tags": [ "cisco umbrella", "site", "safe site", "detection list", "blacklist", "million", "malicious url", "maltiverse", "heuristic", "redirme", "exploit", "malware", "team", "microsoft", "urlhttps", "blacklist https", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "hacktool", "arkeistealer", "mail spammer", "united", "germany", "opencandy", "proxy", "firehol", "alexa top", "phishing site", "malicious site", "malware site", "alexa", "phishing", "iframe", "downldr", "agent", "presenoker", "riskware", "unsafe", "artemis", "bank", "cve201711882", "tag count", "cyber threat", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pragma", "contacted urls", "ssl certificate", "whois record", "xmodeargs", "whois whois", "xdpid1203", "xpubid10839", "september", "tsara brashears", "collection", "emotet", "malicious", "critical", "copy", "installer", "banker", "keylogger", "heur", "filerepmetagen", "suspected", "adware", "acint", "nircmd", "swrort", "systweak", "behav", "crack", "tiggre", "genkryptik", "filetour", "cleaner", "conduit", "wacatac", "trojanspy", "webtoolbar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2559, "CVE": 6, "FileHash-MD5": 582, "FileHash-SHA1": 353, "FileHash-SHA256": 3232, "hostname": 826, "domain": 206, "URI": 1 }, "indicator_count": 7765, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6541df216e018a0bce63e2a3", "name": "DeepScan:Generic.Ransom.GandCrab5", "description": "Malicious redirect. OWA? Dreaded Canary cookie? I don't know yet. Link affects individuals, corporations and edu's. \n\n{*https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic\n*Redirects to: https://login.microsoftonline.com/jsdisabled}\n(AUTO POPULATED: A full list of findings from the Maltiverse Research Team on Malware and Exploit, as compiled by the National Security Agency (NSA), has been published on the website of Microsoft's website.)", "modified": "2023-12-01T04:05:20.963000", "created": "2023-11-01T05:16:17.835000", "tags": [ "cisco umbrella", "site", "safe site", "detection list", "blacklist", "million", "malicious url", "maltiverse", "heuristic", "redirme", "exploit", "malware", "team", "microsoft", "urlhttps", "blacklist https", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "hacktool", "arkeistealer", "mail spammer", "united", "germany", "opencandy", "proxy", "firehol", "alexa top", "phishing site", "malicious site", "malware site", "alexa", "phishing", "iframe", "downldr", "agent", "presenoker", "riskware", "unsafe", "artemis", "bank", "cve201711882", "tag count", "cyber threat", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pragma", "contacted urls", "ssl certificate", "whois record", "xmodeargs", "whois whois", "xdpid1203", "xpubid10839", "september", "tsara brashears", "collection", "emotet", "malicious", "critical", "copy", "installer", "banker", "keylogger", "heur", "filerepmetagen", "suspected", "adware", "acint", "nircmd", "swrort", "systweak", "behav", "crack", "tiggre", "genkryptik", "filetour", "cleaner", "conduit", "wacatac", "trojanspy", "webtoolbar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2559, "CVE": 6, "FileHash-MD5": 582, "FileHash-SHA1": 353, "FileHash-SHA256": 3232, "hostname": 826, "domain": 206, "URI": 1 }, "indicator_count": 7765, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f09785f9ee8aebca2a667", "name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration", "description": "", "modified": "2023-11-26T14:04:04.692000", "created": "2023-10-30T01:40:08.022000", "tags": [ "ssl certificate", "historical ssl", "resolutions", "referrer", "collections", "contacted", "efr1", "parent domain", "amazon 02", "metro", "crypto", "cisco umbrella", "site", "safe site", "heur", "malware", "alexa top", "million", "malicious url", "malware site", "malicious site", "opencandy", "riskware", "unsafe", "phishing", "zbot", "team", "exploit", "agent", "mimikatz", "azorult", "service", "runescape", "facebook", "bank", "download", "downldr", "presenoker", "fusioncore", "cleaner", "wacatac", "artemis", "blacknet rat", "stealer", "trojanspy", "blacklist https", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag count", "tsara brashears", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "whois record", "contacted urls", "siblings domain", "execution", "goldmax", "goldfinder", "sibot", "emotet", "united", "phishing site", "maltiverse", "adware", "phishtank", "xtrat", "xrat", "redline stealer", "xtreme", "crack", "genkryptik", "deepscan", "win64", "quasar rat", "fareit", "downloader", "trojan", "alexa", "iframe", "cve201711882", "phish", "genpack", "suspicious", "magazine", "applicunwnt", "cobalt strike", "malicious", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "ascii text", "mitre att", "ck id", "date", "unknown", "hybrid", "accept", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "pmejdjsu12", "Royal Bank of Scotland", "Phishing Bank of America Corporation", "Phishing Netflix", "Phishing Wells Fargo", "Phishing RuneScape", "Phishing Internal Revenue Service", "Phtarget unspecified phishing", "PAYPAL phishing", "Phishing Indeed", "Phishing eBay, Inc", "PhisSafe", "mobigame", "Phishing Facebook", "remote", "mitm", "tower", "worm", "firm", "privilege", "attacker", "monitoring", "cyber threat", "apple", "illegal", "DNS_PROBE_STARTED", "insurance", "revenge", "legal entities", "https://boxofporn.com" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan.Hotkeychick", "display_name": "Trojan.Hotkeychick", "target": null }, { "id": "CVE Exploits", "display_name": "CVE Exploits", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Virus.Sality", "display_name": "Virus.Sality", "target": null }, { "id": "W32.Malware", "display_name": "W32.Malware", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "Trojan.OTNR", "display_name": "Trojan.OTNR", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "Downloader.OpenCandy", "display_name": "Downloader.OpenCandy", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "GoogleToolbar", "display_name": "GoogleToolbar", "target": null }, { "id": "BScope.Adware.MSIL", "display_name": "BScope.Adware.MSIL", "target": null }, { "id": "Application.Auslogics", "display_name": "Application.Auslogics", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Gen:Variant.Application.Bundler.DownloadGuide", "display_name": "Gen:Variant.Application.Bundler.DownloadGuide", "target": null }, { "id": "Trojan:Win32/Xtrat", "display_name": "Trojan:Win32/Xtrat", "target": "/malware/Trojan:Win32/Xtrat" }, { "id": "Xtreme RAT", "display_name": "Xtreme RAT", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null }, { "id": "AGEN.1045143", "display_name": "AGEN.1045143", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Packed.Themida", "display_name": "Packed.Themida", "target": null }, { "id": "MSIL_Bladabindi.G.gen", "display_name": "MSIL_Bladabindi.G.gen", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Unsafe.AI_Score_95% 2", "display_name": "Unsafe.AI_Score_95% 2", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "JS:Trojan.HideLink 2", "display_name": "JS:Trojan.HideLink 2", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Application.BitCoinMiner", "display_name": "Application.BitCoinMiner", "target": null }, { "id": "WebToolbar.Asparnet", "display_name": "WebToolbar.Asparnet", "target": null }, { "id": "W32.HfsAutoB", "display_name": "W32.HfsAutoB", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Application.Deceptor", "display_name": "Application.Deceptor", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "HEUR:Hoax.PCFixer", "display_name": "HEUR:Hoax.PCFixer", "target": null }, { "id": "Gen:Variant.Jacard", "display_name": "Gen:Variant.Jacard", "target": null }, { "id": "Tool.Patcher", "display_name": "Tool.Patcher", "target": null }, { "id": "Trojan.Khalesi 2\tAdware 2", "display_name": "Trojan.Khalesi 2\tAdware 2", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Unsafe.AI_Score_94%", "display_name": "Unsafe.AI_Score_94%", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Warezov.gen3", "display_name": "Warezov.gen3", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Nemucod.21C8", "display_name": "Nemucod.21C8", "target": null }, { "id": "Asparnet.P", "display_name": "Asparnet.P", "target": null }, { "id": "InstallCore.Gen7", "display_name": "InstallCore.Gen7", "target": null }, { "id": "CsQKHtaAI", "display_name": "CsQKHtaAI", "target": null }, { "id": "Clicker.VB", "display_name": "Clicker.VB", "target": null }, { "id": "Exploit.Zip.Heuristic", "display_name": "Exploit.Zip.Heuristic", "target": null }, { "id": "Trojan.Ransom.GandCrab", "display_name": "Trojan.Ransom.GandCrab", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "ScrInject.eric", "display_name": "ScrInject.eric", "target": null }, { "id": "HEUR:Trojan.Diztakun", "display_name": "HEUR:Trojan.Diztakun", "target": null }, { "id": "Agent.OCJ", "display_name": "Agent.OCJ", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "Hacktool.Crack", "display_name": "Hacktool.Crack", "target": null }, { "id": "Backdoor.DTR.15", "display_name": "Backdoor.DTR.15", "target": null }, { "id": "Freemake.A potentially unwanted", "display_name": "Freemake.A potentially unwanted", "target": null }, { "id": "Absolute Uninstaller", "display_name": "Absolute Uninstaller", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "Trojan.Small", "display_name": "Trojan.Small", "target": null }, { "id": "HackTool.Crack", "display_name": "HackTool.Crack", "target": null }, { "id": "Generic.Application.JS.Sobrab.1", "display_name": "Generic.Application.JS.Sobrab.1", "target": null }, { "id": "Trojan.Rozena", "display_name": "Trojan.Rozena", "target": null }, { "id": "Trojan.Downloader", "display_name": "Trojan.Downloader", "target": null }, { "id": "Trojan.Bayrob", "display_name": "Trojan.Bayrob", "target": null }, { "id": "Adware.OxyPumper", "display_name": "Adware.OxyPumper", "target": null }, { "id": "Worm.Chir", "display_name": "Worm.Chir", "target": null }, { "id": "Trojan.Linux.Generic", "display_name": "Trojan.Linux.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Heur.BZC.YAX.Boxter.819", "display_name": "Heur.BZC.YAX.Boxter.819", "target": null }, { "id": "Faceliker.D", "display_name": "Faceliker.D", "target": null }, { "id": "Adware", "display_name": "Adware", "target": null }, { "id": "DeepScan:Generic.BrResMon.1", "display_name": "DeepScan:Generic.BrResMon.1", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "Trojan.Brsecmon", "display_name": "Trojan.Brsecmon", "target": null }, { "id": "SigRiskware.LespeedTechnologyLtd", "display_name": "SigRiskware.LespeedTechnologyLtd", "target": null }, { "id": "Doplik.J", "display_name": "Doplik.J", "target": null }, { "id": "Backdoor.Nhopro", "display_name": "Backdoor.Nhopro", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "Gen:NN.ZemsilF.32515", "display_name": "Gen:NN.ZemsilF.32515", "target": null }, { "id": "Downware", "display_name": "Downware", "target": null }, { "id": "MxResIcn.Heur", "display_name": "MxResIcn.Heur", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "Magazine phishing", "display_name": "Magazine phishing", "target": null }, { "id": "ApplicUnwnt@#2n6\tIRS", "display_name": "ApplicUnwnt@#2n6\tIRS", "target": null }, { "id": "TEL:Trojan:HTML/Phishing", "display_name": "TEL:Trojan:HTML/Phishing", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Trojan.GandCrypt", "display_name": "Trojan.GandCrypt", "target": null }, { "id": "Redirector.AN", "display_name": "Redirector.AN", "target": null }, { "id": "Agent.CUX.gen", "display_name": "Agent.CUX.gen", "target": null }, { "id": "Gen:Variant.Application.Bundler", "display_name": "Gen:Variant.Application.Bundler", "target": null }, { "id": "Downloader.Generic", "display_name": "Downloader.Generic", "target": null }, { "id": "Trojan.ClipBanker", "display_name": "Trojan.ClipBanker", "target": null }, { "id": "TrojanDropper.Autit", "display_name": "TrojanDropper.Autit", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "QVM05.1.08E5.Malware", "display_name": "QVM05.1.08E5.Malware", "target": null }, { "id": "Trojan.CookiesStealer", "display_name": "Trojan.CookiesStealer", "target": null }, { "id": "Agent.MU", "display_name": "Agent.MU", "target": null }, { "id": "Wacatac.B", "display_name": "Wacatac.B", "target": null }, { "id": "Dropper.Gen", "display_name": "Dropper.Gen", "target": null }, { "id": "WiseCleaner.A potentially unwanted", "display_name": "WiseCleaner.A potentially unwanted", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Gen:NN.ZemsilF.34170", "display_name": "Gen:NN.ZemsilF.34170", "target": null }, { "id": "Gen:Variant.MSILHeracles", "display_name": "Gen:Variant.MSILHeracles", "target": null }, { "id": "Trojan.DownLoader33", "display_name": "Trojan.DownLoader33", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Program.Freemake", "display_name": "Program.Freemake", "target": null }, { "id": "Kryptik.dawvk", "display_name": "Kryptik.dawvk", "target": null }, { "id": "AdwareSig [Adw]", "display_name": "AdwareSig [Adw]", "target": null }, { "id": "Phishing JPMorgan Chase and Co.", "display_name": "Phishing JPMorgan Chase and Co.", "target": null }, { "id": "Adware.BrowseFoxCRTD", "display_name": "Adware.BrowseFoxCRTD", "target": null }, { "id": "Suspici.1F4405D1", "display_name": "Suspici.1F4405D1", "target": null }, { "id": "PUA.Wombat", "display_name": "PUA.Wombat", "target": null }, { "id": "AdWare.DealPly", "display_name": "AdWare.DealPly", "target": null }, { "id": "Injector.CUAM", "display_name": "Injector.CUAM", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "Troj_Gen.F04IE00CI19", "display_name": "Troj_Gen.F04IE00CI19", "target": null }, { "id": "Worm.Autorun", "display_name": "Worm.Autorun", "target": null }, { "id": "Worm.Boychi", "display_name": "Worm.Boychi", "target": null }, { "id": "Worm.Allaple", "display_name": "Worm.Allaple", "target": null }, { "id": "CVE-2014-3153", "display_name": "CVE-2014-3153", "target": null }, { "id": "BehavesLike.ICLoader", "display_name": "BehavesLike.ICLoader", "target": null }, { "id": "BScope.Backdoor", "display_name": "BScope.Backdoor", "target": null }, { "id": "Trojan.WIN32.PDF.Alien", "display_name": "Trojan.WIN32.PDF.Alien", "target": null }, { "id": "PUP.Systweak", "display_name": "PUP.Systweak", "target": null }, { "id": "Sabsik.FL.B", "display_name": "Sabsik.FL.B", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Gen:Variant.Tedy HackTool.VulnDriver", "display_name": "Gen:Variant.Tedy HackTool.VulnDriver", "target": null }, { "id": "Backdoor.Predator", "display_name": "Backdoor.Predator", "target": null }, { "id": "Kryptik.GKQR", "display_name": "Kryptik.GKQR", "target": null }, { "id": "DarkKomet.ife", "display_name": "DarkKomet.ife", "target": null }, { "id": "BehavesLike.Downloader", "display_name": "BehavesLike.Downloader", "target": null }, { "id": "Trojan.JS.Iframe", "display_name": "Trojan.JS.Iframe", "target": null }, { "id": "InstallCore.NP", "display_name": "InstallCore.NP", "target": null }, { "id": "Generic.JS.BlackHole", "display_name": "Generic.JS.BlackHole", "target": null }, { "id": "Dropper.Wanna", "display_name": "Dropper.Wanna", "target": null }, { "id": "Remote Utilities", "display_name": "Remote Utilities", "target": null }, { "id": "W32.InstallCore.AGX", "display_name": "W32.InstallCore.AGX", "target": null }, { "id": "NetTool.RemoteExec", "display_name": "NetTool.RemoteExec", "target": null }, { "id": "Bondat.A", "display_name": "Bondat.A", "target": null }, { "id": "VM201.0.B70B.Malware", "display_name": "VM201.0.B70B.Malware", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "Infected.WebPage", "display_name": "Infected.WebPage", "target": null }, { "id": "HEUR:Exploit.Script", "display_name": "HEUR:Exploit.Script", "target": null }, { "id": "BScope.TrojanDownloader", "display_name": "BScope.TrojanDownloader", "target": null }, { "id": "HTML:RedirBA", "display_name": "HTML:RedirBA", "target": null }, { "id": "Trojan.BAT.Qhost", "display_name": "Trojan.BAT.Qhost", "target": null }, { "id": "HTML:RedirME", "display_name": "HTML:RedirME", "target": null }, { "id": "TrojWare.JS.AdWare.Agent", "display_name": "TrojWare.JS.AdWare.Agent", "target": null }, { "id": "Packed.Dico", "display_name": "Packed.Dico", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1602.001", "name": "SNMP (MIB Dump)", "display_name": "T1602.001 - SNMP (MIB Dump)" } ], "industries": [], "TLP": "white", "cloned_from": "653bf3b076e4dbcd0c099992", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1695, "FileHash-SHA1": 756, "FileHash-SHA256": 2029, "domain": 290, "URL": 1854, "hostname": 568, "CVE": 5 }, "indicator_count": 7197, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "875 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653bf3b076e4dbcd0c099992", "name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration", "description": "DeepScan run (absolute overkill). I witnessed excessive data use, device is completely practically unusable, many black pages, denial of most services. CNC. Browser bar became a malicious app that returns 0 searches. Attack directed towards my devices.\nNo stone left unturned. Passwords taken. Apps installed to device Covered can on device takes pictures/flash at will. Evasive. Very talented hackers. \nBravo! Very intrusive. Constantly attacking.\nTarget: Tsara Brashears and researcher", "modified": "2023-11-26T14:04:04.692000", "created": "2023-10-27T17:30:24.926000", "tags": [ "ssl certificate", "historical ssl", "resolutions", "referrer", "collections", "contacted", "efr1", "parent domain", "amazon 02", "metro", "crypto", "cisco umbrella", "site", "safe site", "heur", "malware", "alexa top", "million", "malicious url", "malware site", "malicious site", "opencandy", "riskware", "unsafe", "phishing", "zbot", "team", "exploit", "agent", "mimikatz", "azorult", "service", "runescape", "facebook", "bank", "download", "downldr", "presenoker", "fusioncore", "cleaner", "wacatac", "artemis", "blacknet rat", "stealer", "trojanspy", "blacklist https", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag count", "tsara brashears", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "whois record", "contacted urls", "siblings domain", "execution", "goldmax", "goldfinder", "sibot", "emotet", "united", "phishing site", "maltiverse", "adware", "phishtank", "xtrat", "xrat", "redline stealer", "xtreme", "crack", "genkryptik", "deepscan", "win64", "quasar rat", "fareit", "downloader", "trojan", "alexa", "iframe", "cve201711882", "phish", "genpack", "suspicious", "magazine", "applicunwnt", "cobalt strike", "malicious", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "ascii text", "mitre att", "ck id", "date", "unknown", "hybrid", "accept", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "pmejdjsu12", "Royal Bank of Scotland", "Phishing Bank of America Corporation", "Phishing Netflix", "Phishing Wells Fargo", "Phishing RuneScape", "Phishing Internal Revenue Service", "Phtarget unspecified phishing", "PAYPAL phishing", "Phishing Indeed", "Phishing eBay, Inc", "PhisSafe", "mobigame", "Phishing Facebook", "remote", "mitm", "tower", "worm", "firm", "privilege", "attacker", "monitoring", "cyber threat", "apple", "illegal", "DNS_PROBE_STARTED", "insurance", "revenge", "legal entities", "https://boxofporn.com" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan.Hotkeychick", "display_name": "Trojan.Hotkeychick", "target": null }, { "id": "CVE Exploits", "display_name": "CVE Exploits", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Virus.Sality", "display_name": "Virus.Sality", "target": null }, { "id": "W32.Malware", "display_name": "W32.Malware", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "Trojan.OTNR", "display_name": "Trojan.OTNR", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "Downloader.OpenCandy", "display_name": "Downloader.OpenCandy", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "GoogleToolbar", "display_name": "GoogleToolbar", "target": null }, { "id": "BScope.Adware.MSIL", "display_name": "BScope.Adware.MSIL", "target": null }, { "id": "Application.Auslogics", "display_name": "Application.Auslogics", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Gen:Variant.Application.Bundler.DownloadGuide", "display_name": "Gen:Variant.Application.Bundler.DownloadGuide", "target": null }, { "id": "Trojan:Win32/Xtrat", "display_name": "Trojan:Win32/Xtrat", "target": "/malware/Trojan:Win32/Xtrat" }, { "id": "Xtreme RAT", "display_name": "Xtreme RAT", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null }, { "id": "AGEN.1045143", "display_name": "AGEN.1045143", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Packed.Themida", "display_name": "Packed.Themida", "target": null }, { "id": "MSIL_Bladabindi.G.gen", "display_name": "MSIL_Bladabindi.G.gen", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Unsafe.AI_Score_95% 2", "display_name": "Unsafe.AI_Score_95% 2", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "JS:Trojan.HideLink 2", "display_name": "JS:Trojan.HideLink 2", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Application.BitCoinMiner", "display_name": "Application.BitCoinMiner", "target": null }, { "id": "WebToolbar.Asparnet", "display_name": "WebToolbar.Asparnet", "target": null }, { "id": "W32.HfsAutoB", "display_name": "W32.HfsAutoB", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Application.Deceptor", "display_name": "Application.Deceptor", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "HEUR:Hoax.PCFixer", "display_name": "HEUR:Hoax.PCFixer", "target": null }, { "id": "Gen:Variant.Jacard", "display_name": "Gen:Variant.Jacard", "target": null }, { "id": "Tool.Patcher", "display_name": "Tool.Patcher", "target": null }, { "id": "Trojan.Khalesi 2\tAdware 2", "display_name": "Trojan.Khalesi 2\tAdware 2", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Unsafe.AI_Score_94%", "display_name": "Unsafe.AI_Score_94%", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Warezov.gen3", "display_name": "Warezov.gen3", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Nemucod.21C8", "display_name": "Nemucod.21C8", "target": null }, { "id": "Asparnet.P", "display_name": "Asparnet.P", "target": null }, { "id": "InstallCore.Gen7", "display_name": "InstallCore.Gen7", "target": null }, { "id": "CsQKHtaAI", "display_name": "CsQKHtaAI", "target": null }, { "id": "Clicker.VB", "display_name": "Clicker.VB", "target": null }, { "id": "Exploit.Zip.Heuristic", "display_name": "Exploit.Zip.Heuristic", "target": null }, { "id": "Trojan.Ransom.GandCrab", "display_name": "Trojan.Ransom.GandCrab", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "ScrInject.eric", "display_name": "ScrInject.eric", "target": null }, { "id": "HEUR:Trojan.Diztakun", "display_name": "HEUR:Trojan.Diztakun", "target": null }, { "id": "Agent.OCJ", "display_name": "Agent.OCJ", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "Hacktool.Crack", "display_name": "Hacktool.Crack", "target": null }, { "id": "Backdoor.DTR.15", "display_name": "Backdoor.DTR.15", "target": null }, { "id": "Freemake.A potentially unwanted", "display_name": "Freemake.A potentially unwanted", "target": null }, { "id": "Absolute Uninstaller", "display_name": "Absolute Uninstaller", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "Trojan.Small", "display_name": "Trojan.Small", "target": null }, { "id": "HackTool.Crack", "display_name": "HackTool.Crack", "target": null }, { "id": "Generic.Application.JS.Sobrab.1", "display_name": "Generic.Application.JS.Sobrab.1", "target": null }, { "id": "Trojan.Rozena", "display_name": "Trojan.Rozena", "target": null }, { "id": "Trojan.Downloader", "display_name": "Trojan.Downloader", "target": null }, { "id": "Trojan.Bayrob", "display_name": "Trojan.Bayrob", "target": null }, { "id": "Adware.OxyPumper", "display_name": "Adware.OxyPumper", "target": null }, { "id": "Worm.Chir", "display_name": "Worm.Chir", "target": null }, { "id": "Trojan.Linux.Generic", "display_name": "Trojan.Linux.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Heur.BZC.YAX.Boxter.819", "display_name": "Heur.BZC.YAX.Boxter.819", "target": null }, { "id": "Faceliker.D", "display_name": "Faceliker.D", "target": null }, { "id": "Adware", "display_name": "Adware", "target": null }, { "id": "DeepScan:Generic.BrResMon.1", "display_name": "DeepScan:Generic.BrResMon.1", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "Trojan.Brsecmon", "display_name": "Trojan.Brsecmon", "target": null }, { "id": "SigRiskware.LespeedTechnologyLtd", "display_name": "SigRiskware.LespeedTechnologyLtd", "target": null }, { "id": "Doplik.J", "display_name": "Doplik.J", "target": null }, { "id": "Backdoor.Nhopro", "display_name": "Backdoor.Nhopro", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "Gen:NN.ZemsilF.32515", "display_name": "Gen:NN.ZemsilF.32515", "target": null }, { "id": "Downware", "display_name": "Downware", "target": null }, { "id": "MxResIcn.Heur", "display_name": "MxResIcn.Heur", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "Magazine phishing", "display_name": "Magazine phishing", "target": null }, { "id": "ApplicUnwnt@#2n6\tIRS", "display_name": "ApplicUnwnt@#2n6\tIRS", "target": null }, { "id": "TEL:Trojan:HTML/Phishing", "display_name": "TEL:Trojan:HTML/Phishing", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Trojan.GandCrypt", "display_name": "Trojan.GandCrypt", "target": null }, { "id": "Redirector.AN", "display_name": "Redirector.AN", "target": null }, { "id": "Agent.CUX.gen", "display_name": "Agent.CUX.gen", "target": null }, { "id": "Gen:Variant.Application.Bundler", "display_name": "Gen:Variant.Application.Bundler", "target": null }, { "id": "Downloader.Generic", "display_name": "Downloader.Generic", "target": null }, { "id": "Trojan.ClipBanker", "display_name": "Trojan.ClipBanker", "target": null }, { "id": "TrojanDropper.Autit", "display_name": "TrojanDropper.Autit", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "QVM05.1.08E5.Malware", "display_name": "QVM05.1.08E5.Malware", "target": null }, { "id": "Trojan.CookiesStealer", "display_name": "Trojan.CookiesStealer", "target": null }, { "id": "Agent.MU", "display_name": "Agent.MU", "target": null }, { "id": "Wacatac.B", "display_name": "Wacatac.B", "target": null }, { "id": "Dropper.Gen", "display_name": "Dropper.Gen", "target": null }, { "id": "WiseCleaner.A potentially unwanted", "display_name": "WiseCleaner.A potentially unwanted", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Gen:NN.ZemsilF.34170", "display_name": "Gen:NN.ZemsilF.34170", "target": null }, { "id": "Gen:Variant.MSILHeracles", "display_name": "Gen:Variant.MSILHeracles", "target": null }, { "id": "Trojan.DownLoader33", "display_name": "Trojan.DownLoader33", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Program.Freemake", "display_name": "Program.Freemake", "target": null }, { "id": "Kryptik.dawvk", "display_name": "Kryptik.dawvk", "target": null }, { "id": "AdwareSig [Adw]", "display_name": "AdwareSig [Adw]", "target": null }, { "id": "Phishing JPMorgan Chase and Co.", "display_name": "Phishing JPMorgan Chase and Co.", "target": null }, { "id": "Adware.BrowseFoxCRTD", "display_name": "Adware.BrowseFoxCRTD", "target": null }, { "id": "Suspici.1F4405D1", "display_name": "Suspici.1F4405D1", "target": null }, { "id": "PUA.Wombat", "display_name": "PUA.Wombat", "target": null }, { "id": "AdWare.DealPly", "display_name": "AdWare.DealPly", "target": null }, { "id": "Injector.CUAM", "display_name": "Injector.CUAM", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "Troj_Gen.F04IE00CI19", "display_name": "Troj_Gen.F04IE00CI19", "target": null }, { "id": "Worm.Autorun", "display_name": "Worm.Autorun", "target": null }, { "id": "Worm.Boychi", "display_name": "Worm.Boychi", "target": null }, { "id": "Worm.Allaple", "display_name": "Worm.Allaple", "target": null }, { "id": "CVE-2014-3153", "display_name": "CVE-2014-3153", "target": null }, { "id": "BehavesLike.ICLoader", "display_name": "BehavesLike.ICLoader", "target": null }, { "id": "BScope.Backdoor", "display_name": "BScope.Backdoor", "target": null }, { "id": "Trojan.WIN32.PDF.Alien", "display_name": "Trojan.WIN32.PDF.Alien", "target": null }, { "id": "PUP.Systweak", "display_name": "PUP.Systweak", "target": null }, { "id": "Sabsik.FL.B", "display_name": "Sabsik.FL.B", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Gen:Variant.Tedy HackTool.VulnDriver", "display_name": "Gen:Variant.Tedy HackTool.VulnDriver", "target": null }, { "id": "Backdoor.Predator", "display_name": "Backdoor.Predator", "target": null }, { "id": "Kryptik.GKQR", "display_name": "Kryptik.GKQR", "target": null }, { "id": "DarkKomet.ife", "display_name": "DarkKomet.ife", "target": null }, { "id": "BehavesLike.Downloader", "display_name": "BehavesLike.Downloader", "target": null }, { "id": "Trojan.JS.Iframe", "display_name": "Trojan.JS.Iframe", "target": null }, { "id": "InstallCore.NP", "display_name": "InstallCore.NP", "target": null }, { "id": "Generic.JS.BlackHole", "display_name": "Generic.JS.BlackHole", "target": null }, { "id": "Dropper.Wanna", "display_name": "Dropper.Wanna", "target": null }, { "id": "Remote Utilities", "display_name": "Remote Utilities", "target": null }, { "id": "W32.InstallCore.AGX", "display_name": "W32.InstallCore.AGX", "target": null }, { "id": "NetTool.RemoteExec", "display_name": "NetTool.RemoteExec", "target": null }, { "id": "Bondat.A", "display_name": "Bondat.A", "target": null }, { "id": "VM201.0.B70B.Malware", "display_name": "VM201.0.B70B.Malware", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "Infected.WebPage", "display_name": "Infected.WebPage", "target": null }, { "id": "HEUR:Exploit.Script", "display_name": "HEUR:Exploit.Script", "target": null }, { "id": "BScope.TrojanDownloader", "display_name": "BScope.TrojanDownloader", "target": null }, { "id": "HTML:RedirBA", "display_name": "HTML:RedirBA", "target": null }, { "id": "Trojan.BAT.Qhost", "display_name": "Trojan.BAT.Qhost", "target": null }, { "id": "HTML:RedirME", "display_name": "HTML:RedirME", "target": null }, { "id": "TrojWare.JS.AdWare.Agent", "display_name": "TrojWare.JS.AdWare.Agent", "target": null }, { "id": "Packed.Dico", "display_name": "Packed.Dico", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1602.001", "name": "SNMP (MIB Dump)", "display_name": "T1602.001 - SNMP (MIB Dump)" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1695, "FileHash-SHA1": 756, "FileHash-SHA256": 2029, "domain": 290, "URL": 1854, "hostname": 568, "CVE": 5 }, "indicator_count": 7197, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "875 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "java_method_references_02.dump", "tutor.ca.utf-8", "dns.vim", "erlang.vim", "eruby.vim", "sl.vim", "java_methods_indent8_05.vim", "java_numbers_05.dump", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "java_methods_style_03.dump", "pine.vim", "django.vim", "falcon.vim", "obj.vim", "rtf.vim", "sysctl.vim", "gss-acceptor.sb", "mmix.vim", "deb822sources.vim", "tutor.it.utf-8", "cbor", "htmlcheetah.vim", "vim_ex_function_def_tail_comment_errors.vim", "vim9_legacy_header.vim", "kdc.sb", "java_methods_indent2_02.vim", "ruby.vim", "tutor.ko.utf-8", "bsi", "fdcc.vim", "hgcommitDiff.vim", "diva.vim", "swig.vim", "efm_filter.txt", "bytecode", "tutor.no.utf-8", "markdown.vim", "com.apple.managedcorespotlightd.sb", "sh_08_02.dump", "mdworker.sb", "bzr.vim", "java_method_references_06.dump", "alliant", "modula2_pim_05.dump", "gzip.vim", "smcl.vim", "modula2_r10_03.dump", "simula.vim", "java_module_info.java", "tt2html.vim", "java_lambda_expressions.java", "takout.vim", "ref", "Mac-FA842E06C61E91C5.plist", "archive", "worker-m-tlcus1.sol.us", "opl.vim", "vim_ex_function_nested_fold.vim", "java_string_04.dump", "defaults.vim", "godoc.vim", "quicklook-satellite-general.sb", "conaryrecipe.vim", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "swayconfig.vim", "ftplugof.vim", "java_lambda_expressions_05.dump", "apt", "convex", "vim_ex_execute.vim", "desktop.vim", "php.vim", "resolv.vim", "reva.vim", "logtalk.vim", "java_methods_indent8_signature_02.dump", "sh_06.sh", "mail.vim", "java_methods_indent2_signature_03.vim", "java_previews_430.java", "skill.vim", "Malware Host: HallRender.com", "cmakecache.vim", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "java_lambda_expressions_08.dump", "sd.vim", "sdc.vim", "webdav_agent.sb", "mib2c.genhtml.conf", "mve.txt", "java_annotations_signature_04.dump", "java_numbers_00.dump", "Mac-CAD6701F7CEA0921.plist", "hero9780.duckdns.org ( government.westlaw.com/house of mo)", "government.westlaw.com", "hastepreproc.vim", "lsl.vim", "sshdconfig.vim", "java_method_references_signature_04.dump", "java_methods_indent2_03.vim", "loginaccess.vim", "java_method_references_00.dump", "spyce.vim", "html_02.dump", "exim.vim", "pccts.vim", "sqloracle.vim", "asf", "foxpro.vim", "cmod.vim", "blender", "safebae.org", "gss-initiator.sb", "vim_object_methods.vim", "hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)", "lyrics.vim", "lace.vim", "msmessages.vim", "Mac-9AE82516C7C6B903.plist", "qf.vim", "art.vim", "java_lambda_expressions_signature_03.dump", "java.vim", "papp.vim", "bm", "java_methods_style_signature_02.dump", "asterisk.vim", "clarion", "tar.vim", "gkrellmrc.vim", "java_switch_06.dump", "amanda", "mma.vim", "colortest.vim", "a.default.meta.applestore.id", "html_01.dump", "mmp.vim", "sqlhana.vim", "apachestyle.vim", "mib2c.container.conf", "voscm.vim", "apple", "ninja.vim", "pf.vim", "dcd.vim", "us-west-2.es.amazonaws.com (pslicorp)", "hostsaccess.vim", "basic.vim", "denyhosts.vim", "antlr.vim", "vim_ex_substitute.vim", "java_methods_indent2_00.vim", "netrc.vim", "c.vim", "mib2c.iterate_access.conf", "192.124.249.53:80", "gedcom.vim", "sudoers.vim", "bib.vim", "rust.vim", "Mac-35C1E88140C3E6CF.plist", "nr-data.net", "java_methods_indent8_signature_06.vim", "plp.vim", "http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)", "Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)", "expect.vim", "scilab.vim", "pike.vim", "fakecelebporno.com", "com.apple.fontd.internal.sb", "fvwm2m4.vim", "cddb", "a65.vim", "BTLEServer.sb", "java_comments_markdown_06.dump", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "java_generics_06.dump", "java_annotations_signature_03.dump", "slpconf.vim", "mve.awk", "mupad.vim", "vim_ex_loadkeymap_after_colon.vim", "tags.vim", "sas.vim", "com.apple.softwareupdate_firstrun_tasks.sb", "redif.vim", "firmlinks", "bitbake.vim", "rnc.vim", "vim_ex_throw.vim", "modula2_iso_02.dump", "xsl.vim", "poefilter.vim", "pic.vim", "gtkrc.vim", "Mac-B809C3757DA9BB8D.plist", "java_method_references_signature_00.dump", "context-data-interfaces.vim", "java_methods_indent8_04.dump", "procmail.vim", "tsv.vim", "indent.vim", "application", "html_03.dump", "manconf.vim", "java_methods_indent8_signature_06.dump", "java_methods_style_signature_00.dump", "Mac-06F11F11946D27C5.plist", "sh_07_01.dump", "https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)", "java_lambda_expressions_signature_06.dump", "beetle", "plaintex.vim", "mplayerconf.vim", "kconfig.vim", "asterix", "http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)", "monk.vim", "cdrdaoconf.vim", "setserial.vim", "my.mintmobile.com", "idlang.vim", "coco.vim", "lua.vim", "pinfo.vim", "blcr", "srec.vim", "java_methods_indent8_signature_05.vim", "haredoc.vim", "java_methods_indent8_04.vim", "gitcommit.vim", "web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )", "java_methods_indent2_signature_00.dump", "esqlc.vim", "uci.vim", "qlmanage.sb", "sshconfig.vim", "hamster.vim", "ishd.vim", "java_string_02.dump", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)", "pamenv.vim", "apps.apple.com/us/app/id$", "dot.vim", "modula2_iso_03.dump", "vhdl.vim", "mib2c.iterate.conf", "ecd.vim", "java_methods_indent2_04.dump", "css.vim", "chatito.vim", "typescriptcommon.vim", "modula2_pim_01.dump", "jinja.vim", "model.vim", "emoji_list.vim", "clipper", "livebook.vim", "dots_19", "sh_01.sh", "http://tracking.3061331.corn10wuk.club", "htmlcomplete.vim", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "synmenu.vim", "markdown_conceal.markdown", "ccomplete.vim", "www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)", "efm_filter.pl", "java_switch_07.dump", "mediawiki.vim", "coff", "tutor.da.utf-8", "java_comments_markdown_07.dump", "psf.vim", "haskellcomplete.vim", "java_method_references_03.dump", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)", "java_enfoldment_01.dump", "java_methods_indent8_00.vim", "ppwiz.vim", "java_module_info.vim", "sieve.vim", "java_methods_indent4_signature_05.vim", "limits.vim", "RstFold.vim", "Mac-9F18E312C5C2BF0B.plist", "sh_05.sh", "lprolog.vim", "elm.vim", "pamconf.vim", "airportd.sb", "dune.vim", "rexx.vim", "mermaid.vim", "java_numbers_03.dump", "ps1.vim", "xsd.vim", "animation", "java_string_03.dump", "dts.vim", "java_annotations_03.dump", "usserverlog.vim", "pltags.pl", "fpcmake.vim", "apache", "cupl.vim", "java_contextual_keywords_00.dump", "com.apple.msrpc.netlogon.sb", "java_methods_indent8_signature_00.vim", "mib2c.array-user.conf", "gnash.vim", "modula2_pim_06.dump", "adventure", "progress.vim", "scheme.vim", "ncf.vim", "Mac-77EB7D7DAF985301.plist", "squid.vim", "Mac-EE2EBD4B90B839A8.plist", "debchangelog.vim", "vim_ex_range.vim", "java_numbers_01.dump", "cfg.vim", "prescribe.vim", "com.apple.FontValidator.sb", "cleanadd.vim", "java_methods_indent2_03.dump", "vim_shebang.vim", "mel.vim", "java_switch_01.dump", "scripts.vim", "java_previews_455_02.dump", "java_methods_indent4_03.vim", "dosini.vim", "haml.vim", "java_methods_indent8.java", "vim_expr.vim", "chuck.vim", "latte.vim", "yi.vim", "vim9_ex_function_def_tail_comments.vim", "dnsmasq.vim", "vgrindefs.vim", "cdl.vim", "alsaconf.vim", "modula2_pim_02.dump", "java_unfoldment_02.dump", "java_methods_style_signature_01.dump", "freebasic.vim", "decada.vim", "spec.vim", "vim_ex_function_nested.vim", "sil.vim", "java_methods_indent4_01.vim", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "quicklook-satellite.sb", "unicode.vim", "sgml.vim", "https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )", "modula2.vim", "aspvbs.vim", "chord", "help.vim", "com.apple.spotlightknowledged.importer.sb", "syntax.vim", "cvsrc.vim", "elmfilt.vim", "krl.vim", "aout", "com.apple.atsd.support.sb", "apps.apple.com", "eviews.vim", "java_comments_markdown_08.dump", "go.vim", "context-data-metafun.vim", "java_unfoldment_03.dump", "ftoff.vim", "mib2c.conf", "terraform.vim", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld", "ldapconf.vim", "Mac-27ADBB7B4CEE8E61.plist", "appleid-comloginaccount.info", "aes", "java_generics_04.dump", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "java_method_references_05.dump", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "tutor.nb.utf-8", "yaml.yaml", "litestep.vim", "tutor.de.utf-8", "java_comments_markdown_02.dump", "java_generics_signature_00.dump", "synload.vim", "java_methods_indent4_signature_03.vim", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "java_switch_04.dump", "stata.vim", "fgl.vim", "java_methods_style_signature_02.vim", "vim9_ex_function_def_tail_comment_errors.vim", "vim_ex_catch.vim", "000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)", "initng.vim", "html_06.dump", "java_switch_00.dump", "vera.vim", "java_previews_455_01.dump", "abaqus.vim", "com.apple.fontd.support.sb", "java_switch_05.dump", "ssa.vim", "Mac-A369DDC4E67F1C45.plist", "java_methods_indent2_01.dump", "ppd.vim", "tutor.ru.utf-8", "chaiscript.vim", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)", "java_method_references_signature_06.dump", "sqlforms.vim", "d.vim", "globalworker1.sol.us", "java_generics_signature_04.dump", "java_contextual_keywords.java", "progress_comments.p", "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "java_methods_indent4_signature_02.vim", "context-data-tex.vim", "amiga.vim", "clipper.vim", "clojurecomplete.vim", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "8th.vim", "sexplib.vim", "mdworker-bundle.sb", "ftplugin.vim", "lynx.vim", "java_lambda_expressions_signature_08.dump", "inittab.vim", "quickfix.vim", "jq.vim", "nginx.vim", "vim9_ex_commands.vim", "rp.dudaran2.com [routerlogin.net to safebae.org]", "nasm.vim", "dictdconf.vim", "java_methods_indent4_signature.java", "pcap.vim", "dsl.vim", "java_methods_indent2_signature_01.vim", "vim_ex_command_00.dump", "calendar.vim", "lss.vim", "mgl.vim", "java_unfoldment_01.dump", "gpg.vim", "udevrules.vim", "requirements.vim", "vim_ex_abbreviate_01.dump", "java_methods_style_signature_01.vim", "vim_ex_def_nested_fold.vim", "vim_ex_menutranslate.vim", "exports.vim", "com.apple.mobileassetd.sb", "com.apple.msrpc.wkssvc.sb", "dev-2.ernestatech.com", "java_string_00.dump", "java_methods_indent8_signature_03.vim", "tutor.eo.utf-8", "dots_07", "vim_ex_function.vim", "html_05.dump", "lscript.vim", "java_comments_html_00.dump", "kivy.vim", "gitignore.vim", "upstreamlog.vim", "ia64.vim", "sather.vim", "dircolors.vim", "209.85.145.113 [malware]", "object.prototype.hasownproperty.call", "lc.vim", "vim_ex_loadkeymap_after_bar.vim", "java_escapes_02.dump", "java_annotations_signature_01.dump", "pymanifest.vim", "markdown_conceal_00.dump", "nqc.vim", "https://b.link/infringement", "sh_10.sh", "plsql.vim", "updatedb.vim", "java_methods_indent2_00.dump", "modula2_iso_04.dump", "asteriskvm.vim", "vimrc_example.vim", "tutor.utf-8", "sbt.vim", "ccfilter_README.txt", "goaccess.vim", "systemverilog.vim", "ccfilter.c", "quicklookd-job-creation.sb", "tt2.vim", "gprof.vim", "libao.vim", "tap.vim", "swift.vim", "cvmsCompAgent.sb", "julia.vim", "smith.vim", "java_lambda_expressions_signature_04.dump", "hitest.vim", "readline.vim", "cvmsServer.sb", "bash.vim", "arduino.vim", "ocaml.vim", "mf.vim", "vim9_keymap.vim", "java_previews_455.java", "vim_ex_behave.vim", "basis", "desc.vim", "https://www.hallrender.com/attorney/brian-sabey", "ora.vim", "nanorc.vim", "solidity.vim", "tutor.zh.utf-8", "haste.vim", "Mac-3CBD00234E554E41.plist", "bflt", "abel.vim", "logindefs.vim", "mason.vim", "tutor.sk.utf-8", "aflex.vim", "fan.vim", "java_methods_indent2.java", "pdf.vim", "com.apple.xscertd-helper.sb", "postscr.vim", "dcl.vim", "man.vim", "cf.vim", "tutor.bar.utf-8", "tak.vim", "vim_ex_command.vim", "tutor.zh_tw.utf-8", "dots_16", "conf.vim", "pacmanlog.vim", "initex.vim", "grub.vim", "splint.vim", "hex.vim", "claris", "java_generics_signature_02.dump", "java_numbers.java", "Mac-2BD1B31983FE1663.plist", "tt2js.vim", "grads.vim", "vim9_legacy_header_fold.vim", "tutor.bg.utf-8", "docbksgml.vim", "java_comments_markdown.java", "prolog.vim", "cucumber.vim", "sisu.vim", "java_lambda_expressions_06.dump", "vim_keymap.vim", "applestore.id", "nroff.vim", "spup.vim", "sh_08.sh", "vim_ex_commands.vim", "awk.vim", "blank.vim", "t.name", "gvimrc_example.vim", "specman.vim", "lisp.vim", "muttrc.vim", "htmlangular.vim", "java_methods_indent2_signature_03.dump", "mib2c.column_enums.conf", "cpp.vim", "java_methods_indent8_signature_02.vim", "html40t.vim", "netrw.vim", "smarty.vim", "mib.vim", "2html.vim", "bzl.vim", "java_methods_indent2_signature_02.vim", "apl", "i3config.vim", "smil.vim", "arch.vim", "xhtml10s.vim", "gift.vim", "java_method_references_08.dump", "README.md", "adi", "java_lambda_expressions_07.dump", "Mac-FFE5EF870D7BA81A.plist", "java_comments_html_05.dump", "java_methods_indent8_02.dump", "www.dead-speak.com", "java_numbers_04.dump", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)", "java_string_05.dump", "eiffel.vim", "java_methods_indent2_signature_04.dump", "lotos.vim", "udevperm.vim", "protocols.vim", "Mac-031B6874CF7F642A.plist", "menu.vim", "java_generics.java", "jgraph.vim", "java_method_references_09.dump", "quicklook-satellite-personal.sb", "com.apple.USBAgent.sb", "java_escapes_00.dump", "java_methods_indent8_02.vim", "upstart.vim", "raml.vim", "he.vim", "typescript.vim", "bhl", "less.vim", "rrst.vim", "ada.vim", "unison.vim", "java_generics_03.dump", "vim_line_continuation.vim", "https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)", "Mac-BE088AF8C5EB4FA2.plist", "bst.vim", "vim_ex_let_heredoc.vim", "debsources.vim", "pfd.sb", "README.ru.utf-8.txt", "com.apple.corespotlightservice.sb", "java_module_info_02.dump", "tutor.pt.utf-8", "ftp-proxy.sb", "java_methods_style_signature_04.dump", "takcmp.vim", "java_string_01.dump", "taskdata.vim", "com.apple.softwareupdated.sb", "jam.vim", "html401t.vim", "java_methods_indent4_00.dump", "west-sca.duckdns.org", "lout.vim", "sh.vim", "dots_12", "evim.vim", "tssop.vim", "sh_11_00.dump", "dots_15", "modula2_r10_00.dump", "mib2c.notify.conf", "rcs.vim", "com.apple.smbd.sb", "tcsh.vim", "manual.vim", "https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)", "Mac-35C5E08120C7EEAF.plist", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "tutor.zh_cn.utf-8", "snnspat.vim", "java_method_references_01.dump", "dots_08", "java_switch.java", "csp.vim", "java_methods_indent4_04.dump", "crm.vim", "ondir.vim", "dots_05", "kcm.sb", "avm", "m4.vim", "Stopwords.plist", "mib2c.mfd.conf", "vim_ex_comment-vim9.vim", "mib2c.check_values_local.conf", "dots_03", "html_07.dump", "java_switch_03.dump", "xhtml10t.vim", "java_methods_style_signature.java", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "syncolor.vim", "javascriptcomplete.vim", "stylus.vim", "editorconfig.vim", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "terminfo.vim", "sinda.vim", "java_comments_html_03.dump", "blit", "tads.vim", "gen_syntax_vim.vim", "objcpp.vim", "n1ql.vim", "mdflagwriter.sb", "vim_ex_augroup.vim", "pythoncomplete.vim", "racc.vim", "murphi.vim", "pyrex.vim", "netrw_gitignore.vim", "rpcgen.vim", "http://watchhers.net/index.php", "svn.vim", "cdn.fuckporntube.com", "java_methods_indent8_signature_00.dump", "javaformat.vim", "sml.vim", "gitconfig.vim", "autodoc.vim", "aptconf.vim", "apache.vim", "debcopyright.vim", "qb64.vim", "tutor.cs.utf-8", "java_contextual_keywords_03.dump", "qml.vim", "fetchmail.vim", "diff.vim", "www.hallrender.com (malware hosting)", "kwt.vim", "jsonc.vim", "https://www.anyxxxtube.net/media/favicon/apple", "luau.vim", "bsdi", "git.vim", "java_lambda_expressions_02.dump", "java_methods_style_03.vim", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "natural.vim", "promela.vim", "vrml.vim", "java_methods_style_00.vim", "mib2c.column_storage.conf", "java_methods_indent4_05.vim", "lifelines.vim", "dictconf.vim", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "squirrel.vim", "wifivelocityd.sb", "docbkxml.vim", "gdmo.vim", "sql.vim", "dots_10", "java_comments.java", "https://matrix.pornhub.dev", "java_comments_html_04.dump", "baan.vim", "Mac-E43C1C25D4880AD6.plist", "tutor.ja.utf-8", "cuplsim.vim", "python2.vim", "bsdl.vim", "java_generics_signature_05.dump", "java_escapes_05.dump", "urlshortcut.vim", "rcslog.vim", "android", "tutor.nl.utf-8", "typescriptreact.vim", "com.apple.msrpc.mdssvc.sb", "lite.vim", "java_annotations_signature_00.dump", "vim_ex_comment.vim", "java_lambda_expressions_signature_02.dump", "java_switch_02.dump", "r.vim", "java_methods_indent8_signature_04.dump", "inform.vim", "vdf.vim", "https://hallrender.com/attorney/brian-sabey", "java_comments_markdown_01.dump", "euphoria3.vim", "gitolite.vim", "bindzone.vim", "tohtml.vim", "typeset.vim", "getscript.vim", "vim_ex_menu.vim", "routeros.vim", "nastran.vim", "liquid.vim", "ist.vim", "com.apple.msrpc.srvsvc.sb", "java_methods_style_signature_03.dump", "clojure", "sdl.vim", "tcl.vim", "java_comments_markdown_05.dump", "modula3.vim", "mdworker-scan.sb", "gdscript.vim", "vim_ex_abbreviate.vim", "java_methods_style_04.dump", "gdb.vim", "http://decafsmob.this.id", "cabal.vim", "vim9_shebang.vim", "java_methods_style_01.dump", "Mac-42FD25EABCABB274.plist", "htmlm4.vim", "dtrace.vim", "java_method_references_signature_05.dump", "java_enfoldment.java", "meson.vim", "java_method_references_signature_08.dump", "java_lambda_expressions_signature_01.dump", "java_unfoldment_00.dump", "context-data-context.vim", "verilogams.vim", "esmtprc.vim", "html_00.dump", "communications", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "java_methods_indent8_06.dump", "java_methods_indent2_signature_04.vim", "obse.vim", "mib2c.column_defines.conf", "java_methods_indent2_signature_05.vim", "java_unfoldment_05.dump", "slpreg.vim", "privoxy.vim", "modula2_iso_01.dump", "help_ru.vim", "systemd.vim", "mib2c.create-dataset.conf", "java_annotations_signature.java", "cs.vim", "scala.vim", "Mac-7DF21CB3ED6977E5.plist", "java_generics_00.dump", "delmenu.vim", "dots_17", "java_methods_indent4_03.dump", "com.apple.usbd.sb", "bioinformatics", "vimball.vim", "csc.vim", "www42.jhonisdead.com", "xhtml10f.vim", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "java_annotations_02.dump", "ayacc.vim", "kotlin.vim", "dep3patch.vim", "web2.westlaw.com (redirects to thbrzzrstr.me)", "java_method_references_signature_10.dump", "snnsres.vim", "java_methods_indent2_signature.java", "cdrtoc.vim", "https://apple.pantion.top/", "vim_ex_comment_strings.vim", "java_methods_indent4_signature_03.dump", "modula2_pim.def", "plm.vim", "java_numbers_02.dump", "java_methods_indent8_signature_03.dump", "java_lambda_expressions_04.dump", "st.vim", "java_methods_indent2_05.vim", "cweb.vim", "pfmain.vim", "vim_vs_net.cmd", "java_methods_indent4_06.dump", "optwin.vim", "java_escapes_01.dump", "applix", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]", "default.plist", "swiftgyb.vim", "samba.vim", "chaskell.vim", "vim_new.vim", "html40s.vim", "rst.vim", "vim_variables.vim", "mp.vim", "nsis.vim", "json.vim", "shtags.1", "https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]", "sindaout.vim", "jess.vim", "Mac-DB15BD556843C820.plist", "dart.vim", "vim_ex_function_fold.vim", "sqlanywhere.vim", "openvpn.vim", "kix.vim", "java_method_references_signature.java", "https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]", "docbk.vim", "icemenu.vim", "bluetoothd.sb", "raku.vim", "bc.vim", "confini.vim", "lhaskell.vim", "xhtml11.vim", "chicken.vim", "flexwiki.vim", "automake.vim", "salt.vim", "ccfilter.1", "sed.vim", "java_escapes.java", "att3b", "watool.sb", "tutor.uk.utf-8", "rubycomplete.vim", "1080p-torrent.ml", "dracula.vim", "clojure.vim", "def.vim", "assembler", "gvim.desktop", "omnimark.vim", "hlsplaylist.vim", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "fasm.vim", "java_methods_indent4_signature_00.dump", "tutor.es.utf-8", "gvpr.vim", "natpmpd.sb", "javascriptreact.vim", "tutor.ko", "java_generics_01.dump", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)", "Make_all.mak", "pilrc.vim", "c64", "csv.vim", "datascript.vim", "https://www.hallrender.com/attorney/brian-sabey/#breadcrumb", "r10.vim", "psl.vim", "gitattributes.vim", "lpc.vim", "id.google.com", "cobol.vim", "vim9_ex_comment_strings.vim", "po.vim", "tutor.pl.utf-8", "euphoria4.vim", "verilog.vim", "java_method_references_signature_03.dump", "rego.vim", "lex.vim", "java_methods_indent8_03.dump", "quarto.vim", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "abc.vim", "config.vim", "java_generics_signature_06.dump", "tutor.sr.utf-8", "tutor.hu.utf-8", "java_lambda_expressions_signature_05.dump", "Mac-551B86E5744E2388.plist", "java_methods_indent8_01.vim", "mailcap.vim", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "vim.desktop", "eterm.vim", "java_method_references_signature_01.dump", "java_module_info_01.dump", "viminfo.vim", "mib2c.int_watch.conf", "com.apple.msrpc.lsarpc.sb", "debversions.vim", "java_methods_indent2_01.vim", "dots_14", "edif.vim", "modconf.vim", "registry.vim", "arm", "jsp.vim", "java_methods_indent8_signature_05.dump", "aap.vim", "groovy.vim", "java_unfoldment.java", "java_methods_indent2_04.vim", "java_methods_indent2_signature_00.vim", "mallard.vim", "cynpp.vim", "moo.vim", "java_generics_05.dump", "xcmdsrv_client.c", "pov.vim", "java_methods_indent8_signature.java", "vim_ex_def_nested.vim", "sqlj.vim", "batchpublicrecords.westlaw.com", "services.vim", "com.apple.genatsdb.internal.sb", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "dosbatch.vim", "com.apple.CommCenter.sb", "https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)", "tutor.tr.utf-8", "mds_stores.sb", "java_lambda_expressions_00.dump", "mapper.dir", "tutor.sv.utf-8", "gyp.vim", "mdworker-sizing.sb", "j.vim", "haskell.vim", "dots_13", "ant.vim", "kscript.vim", "rpl.vim", "biosig", "c.c", "tutor.vim", "gnuplot.vim", "sindacmp.vim", "update_date.vim", "java_previews_455_00.dump", "ave.vim", "java_annotations_04.dump", "gsp.vim", "cmake.vim", "java_methods_indent8_03.vim", "java_methods_indent8_signature_04.vim", "phtml.vim", "tutor.hr.utf-8", "fontworkerinternal.sb", "c.oooooooooo.ga (c.apple.com cdn)", "m3quake.vim", "ctrlh.vim", "modsim3.vim", "modula2_pim_03.dump", "java_methods_indent4_02.vim", "vim_ex_map.vim", "hog.vim", "java_methods_indent2_signature_01.dump", "gdresource.vim", "tutor.lv.utf-8", "icon.vim", "java_module_info_00.dump", "awdd.sb", "amigaos", "sqlcomplete.vim", "chill.vim", "changelog.vim", "csdl.vim", "html32.vim", "vim_ex_set.vim", "newrelic.se", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "asm68k.vim", "boostmobile.com", "ptcap.vim", "markdown_conceal.vim", "remind.vim", "rasi.vim", "init.ess.apple.com ( Code Script \u2022 MortalK)", "pandoc.vim", "maxima.vim", "charset.pivot", "java_methods_indent4_01.dump", "fvwm.vim", "java_methods_indent4_signature_06.dump", "dots_11", "algol68", "xmlformat.vim", "citrus", "upstreamdat.vim", "netrwFileHandlers.vim", "hare.vim", "quake.vim", "filetype.vim", "java_comments_markdown_04.dump", "location.search", "nosyntax.vim", "Mac-189A3D4F975D5FFC.plist", "passwd.vim", "Make_mvc.mak", "mgp.vim", "esterel.vim", "https://dnsorangetel.dn2.n-helix.com", "java_string.java", "abap.vim", "java_methods_style.java", "java_enfoldment_02.dump", "ratpoison.vim", "tssgm.vim", "tutor", "htmldjango.vim", "vim_ex_def.vim", "idl.vim", "java_contextual_keywords_01.dump", "slice.vim", "cgdbrc.vim", "fontmover.sb", "openscad.vim", "make.vim", "mswin.vim", "java_contextual_keywords_02.dump", "msql.vim", "cvs.vim", "aspperl.vim", "contextcomplete.vim", "perl.vim", "java_methods_indent8_05.dump", "vim_ex_call.vim", "java_methods_indent8_signature_01.dump", "rhelp.vim", "wfs.sb", "mix.vim", "form.vim", "java_generics_signature_07.dump", "vim_ex_def_fold.vim", "Mac-B4831CEBD52A0C4C.plist", "scdoc.vim", "java_previews_455_03.dump", "vim_ex_no_comment_strings.vim", "groff.vim", "modula2_pim_00.dump", "javascript.vim", "acorn", "java_lambda_expressions_signature_07.dump", "opam.vim", "cabalconfig.vim", "hb.vim", "screen.vim", "cheetah.vim", "matlab.vim", "pod.vim", "user-apple.info", "autohotkey.vim", "Mac-473D31EABEB93F9B.plist", "www.search.app.goo.gl", "hasownproperty.call", "sicad.vim", "elf.vim", "hercules.vim", "kdl.vim", "snobol4.vim", "init-p01st.push.apple.com", "cabalproject.vim", "mrxvtrc.vim", "dots_01", "html401f.vim", "java_escapes_06.dump", "dylanlid.vim", "cmusrc.vim", "mds.sb", "java_methods_style_signature_03.vim", "snnsnet.vim", "aml.vim", "ipfilter.vim", "typst.vim", "named.vim", "java_methods_indent4_signature_01.vim", "odin.vim", "gemtext.vim", "structurizr.vim", "iso.vim", "focexec.vim", "java_generics_signature.java", "https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]", "rng.vim", "uc.vim", "java_comments_markdown_03.dump", "html_04.dump", "slrnrc.vim", "sqlinformix.vim", "vim_ex_echo.vim", "netrwSettings.vim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )", "debcontrol.vim", "nix.vim", "python3complete.vim", "java_comments_markdown_00.dump", "gnat.vim", "autoit.vim", "vimm", "proto.vim", "java_methods_indent8_signature_01.vim", "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "virata.vim", "hcl.vim", "vim_ex_match.vim", "mailaliases.vim", "README.txt", "ibasic.vim", "html40f.vim", "btsnoop", "jargon.vim", "blink.c", "java_methods_style_04.vim", "pim.vim", "Poemhunter.com + rally point.com = pornhub.dev", "occam.vim", "Mac-BE0E8AC46FE800CC.plist", "mib2c.scalar.conf", "java_method_references_10.dump", "pli.vim", "modula2_iso_05.dump", "ch.vim", "change.vim", "adacomplete.vim", "pbtxt.vim", "com.apple.cloudd.sb", "https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd", "strace.vim", "lilo.vim", "asy.vim", "bdf.vim", "apple-aqo.com (1 DNSPod.net)", "tutor.el.utf-8", "fish.vim", "Mac-06F11FD93F0323C5.plist", "java_methods_indent4_signature_00.vim", "mDNSResponder.sb", "dots_20", "asn.vim", "java_methods_style_01.vim", "java_methods_indent4_signature_02.dump", "quicklookd.sb", "rapid.vim", "mib2c.access_functions.conf", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "gitsendemail.vim", "sensors.vim", "blackberry", "asmh8300.vim", "uil.vim", "atlas.vim", "java_methods_indent2_signature_05.dump", "cuda.vim", "html401s.vim", "vim_key_notation.vim", "java_generics_02.dump", "http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378", "html_08.dump", "java_annotations_signature_02.dump", "modula2_iso.def", "java_comments_html_06.dump", "framescript.vim", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "gitrebase.vim", "upstreaminstalllog.vim", "java_generics_signature_03.dump", "teraterm.vim", "java_methods_indent4_05.dump", "sgmldecl.vim", "crontab.vim", "java_lambda_expressions_signature.java", "java_enfoldment_00.dump", "kadmind.sb", "python.vim", "usw2kagtlog.vim", "java_previews_430_00.dump", "dtml.vim", "rnoweb.vim", "java_lambda_expressions_03.dump", "syntaxcomplete.vim", "java_lambda_expressions_signature_00.dump", "m3build.vim", "allegro", "mysql.vim", "context.vim", "openroad.vim", "radiance.vim", "vim_ex_function_def_tail_comments.vim", "dockerfile.vim", "sh_09.sh", "astro.vim", "clean.vim", "http://e.id?e.id:e.id.getAttribute", "114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)", "https://poemhunter.com/tsara-brashears/", "CVE-2023-4966", "vim.vim", "dylanintr.vim", "ahdl.vim", "tasm.vim", "demoserver.py", "template.vim", "vimspell.txt", "a2ps.vim", "xmlcomplete.vim", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "slrnsc.vim", "mib2c.perl.conf", "zip.vim", "safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic", "Mac-66E35819EE2D0D05.plist", "indoff.vim", "dicrc", "http://git.io/yBU2rg", "java_escapes_03.dump", "group.vim", "json5.vim", "slpspi.vim", "html.vim", "rib.vim", "pascal.vim", "aidl.vim", "34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.", "mush.vim", "mib2c.old-api.conf", "asciidoc.vim", "java_generics_signature_01.dump", "lftp.vim", "povini.vim", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "java_comments_html_01.dump", "sh_02.sh", "vim132", "vim9_expr.vim", "java_methods_style_signature_04.vim", "csscomplete.vim", "java_annotations.java", "modula2_pim_04.dump", "sendpr.vim", "dots_18", "com.apple.atsd.internal.sb", "cl.vim", "cterm.vim", "gretl.vim", "vim_ex_sleep.vim", "dots_09", "mib2c.check_values.conf", "hgcommit.vim", "modula2_iso_06.dump", "master.vim", "ampl.vim", "java_methods_indent2_05.dump", "doxygen.vim", "java_methods_style_02.dump", "rustfmt.vim", "java_method_references_07.dump", "com.apple.xscertd.sb", "java_generics_07.dump", "spellfile.vim", "java_methods_style_02.vim", "java_annotations_00.dump", "cafebabe", "dots_04", "jal.vim", "purifylog.vim", "paste.vim", "java_methods_indent4_04.vim", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "com.apple.bootinstalld.sb", "java_methods_indent4_signature_04.vim", "modula2_r10.def", "java_methods_indent2_signature_02.dump", "spice.vim", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)", "msidl.vim", "bugreport.vim", "sh_11.sh", "com.apple.netbiosd.sb", "www.metrobyt-mobile.com", "sh_03.sh", "avra.vim", "java_method_references_signature_07.dump", "taskedit.vim", "cynlib.vim", "slang.vim", "java_method_references_04.dump", "states.app", "java_methods_indent4_signature_04.dump", "java_methods_indent8_00.dump", "catalog.vim", "java_methods_indent4_signature_05.dump", "html.html", "vim.vim.base", "mdworker-mail.sb", "masm.vim", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "vimrc", "tutor.fr.utf-8", "objc.vim", "audio", "tutor.lt.utf-8", "fontmoverinternal.sb", "com.apple.taskgated-helper.sb", "csh.vim", "stp.vim", "messages.vim", "vmasm.vim", "java_annotations_01.dump", "Mac-4B682C642B45593E.plist", "racket.vim", "bout", "efm_perl.pl", "ber", "dirpager.vim", "java_comments_html_02.dump", "ld.vim", "shtags.pl", "mojo.vim", "gp.vim", "b.vim", "chordpro.vim", "rmd.vim", "forth.vim", "java_methods_indent4_02.dump", "btm.vim", "dots_06", "sass.vim", "htmlos.vim", "elinks.vim", "vim_ex_syntax.vim", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A", "tutor.vi.utf-8", "java_escapes_04.dump", "asm.vim", "scss.vim", "sqr.vim", "valgrind.vim", "java_method_references_signature_09.dump", "maple.vim", "dylan.vim", "cargo.vim", "rebol.vim", "vim_ex_highlight.vim", "java_methods_indent8_01.dump", "fortran.vim", "svg.vim", "c-lang", "java_methods_indent4_signature_01.dump", "robots.vim", "java_lambda_expressions_01.dump", "antlr4.vim", "java_methods_indent2_02.dump", "rc.vim", "cad", "udevconf.vim", "iss.vim", "java_comments_html_07.dump", "java_escapes_07.dump", "com.apple.ckdiscretionaryd.sb", "modula2_iso_00.dump", "sgmllnx.vim", "https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad", "dots_02", "fstab.vim", "gdshader.vim", "java_method_references_signature_02.dump", "alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)", "srt.vim", "sh_07.sh", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)", "java_methods_style_signature_00.vim", "javacc.vim", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "java_methods_style_00.dump", "ldif.vim", "glsl.vim", "sh_04.sh", "java_methods_indent4_00.vim", "batchcourtexpressservicesqa.westlaw.com", "cisco", "hostconf.vim", "upstreamrpt.vim", "vim9_ex_no_comment_strings.vim", "acedb.vim", "neomuttrc.vim", "java_methods_indent4.java", "dtd.vim", "vb.vim", "sm.vim" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor", "DragonForce Malaysia", "[Unnamed group]" ], "malware_families": [ "Trojan.win32.pdf.alien", "Mimikatz", "Hoax.deceptpcclean", "Infected.webpage", "Dropper.wanna", "Nettool.remoteexec", "Worm.boychi", "Gen:variant.jacard", "Bscope.backdoor", "Remote utilities", "Behav", "Pup.systweak", "Pe.heur", "Sabsik.fl.b", "Mitre attack", "Agent.cux.gen", "Agent.mu", "Trojan.khalesi 2\tadware 2", "Mxresicn.heur", "Gen:nn.zemsilf.34170", "Asparnet.p", "Adware.dealply", "Emotet", "Installcore.np", "Trojan.wisdomeyes.16070401.9500", "Kryptik.dawvk", "Goldfinder", "Worm.autorun", "Magazine phishing", "Domains", "Gen:nn.zemsilf.32515", "Gen:heur.msil.inject", "Trojan.hotkeychick", "Quasar rat", "Tsara brashears", "Html:redirba", "Msil_bladabindi.g.gen", "Trojan.ransom.gandcrab", "Trojan.rozena", "Sonbokli", "Gen:variant.bulz", "W32.malware", "Driverreviver.a potentially unwanted", "Gen:heur.msil.androm", "W32.installcore.agx", "Kryptik.gkqr", "Hacktool.crack", "Application.bitcoinminer", "Wisecleaner.a potentially unwanted", "Worm.chir", "Selectall", "Backdoor.nhopro", "Unsafe.ai_score_95% 2", "Backdoor.androm", "Redirector", "Trojware.js.adware.agent", "Vm201.0.b70b.malware", "Application.deceptor", "Installcore.gen7", "Trojan.linux.generic", "Webtoolbar", "Gen:variant.ursu", "Gc", "Trojan.bayrob", "Worm.allaple", "Trojan.js.iframe", "Trojan.cookiesstealer", "Googletoolbar", "Dropper.trojan.agent", "Pua.wombat", "Injector.cuam", "Bondat.a", "Riskware.netfilter", "Vb:trojan.valyria", "Backdoor.predator", "Freemake.a potentially unwanted", "Apnic", "Adware", "Cve exploits", "Behaveslike.downloader", "China telecom", "Heur.bzc.yax.boxter.819", "Invoke-mimikatz", "Virus.sality", "Sibot", "Bscope.adware.msil", "Webtoolbar.asparnet", "Downloader.generic", "Trojan.clipbanker", "Suspici.1f4405d1", "Todo", "Darkkomet.ife", "Program.freemake", "Trojan:win32/tiggre", "Zeus", "Et", "Generic.js.blackhole", "Agent.ocj", "Deepscan:generic.brresmon.1", "Doplik.j", "Trojan.gandcrypt", "Sigriskware.lespeedtechnologyltd", "Heur:trojan.diztakun", "Adacore", "Suppobox", "Phishing jpmorgan chase and co.", "Adwaresig [adw]", "Gamehack", "Exploit.zip.heuristic", "Xtreme rat", "Absolute uninstaller", "Downldr.gen", "Backdoor.dtr.15", "Gen:variant.msilheracles", "Gen:variant.application.bundler", "Radar ineractive", "Azorult", "Html:script", "Adware.kuzitui", "Riskware.crack", "Troj_gen.f04ie00ci19", "Vitzo", "Warezov.gen3", "Clicker.vb", "Qbot", "Gen:variant.application.bundler.downloadguide", "Trojan.ransom.generickd", "Uztuby", "Trojan.downloader", "Applicunwnt@#2n6\tirs", "Maltiverse", "Rms", "Dropper.gen", "Malicious.f01f67", "Esc", "Cobalt strike", "Behaveslike.icloader", "Trojandropper.autit", "Nemucod.21c8", "Vim tutor", "Ubot", "Adware.browsefoxcrtd", "Application.auslogics", "Trojanspy", "Hw32.packed", "Heur:hoax.pcfixer", "Trojan.bat.qhost", "Generic.asmalws", "Scrinject.b", "Ml.attribute", "Hacktool.bruteforce", "Beach research", "Agen.1045143", "Agen.1144657", "Babar", "Zbot", "Wannacry kill switch", "Riskware.hacktool.agent", "Packed.themida", "Trojan.brsecmon", "Hsbc", "Trojan:win32/xtrat", "Vdehu.a", "Trojan.small", "Alf:trojan:win32/formbook", "Generic.application.js.sobrab.1", "Hacktool.cheatengine", "Adware.oxypumper", "Trojan.msil", "Redline stealer", "Cve-2014-3153", "Faceliker.d", "Trojan:win32/wacatac", "Wacatac.b", "Trojan.otnr", "Csqkhtaai", "Downware", "Njrat", "Goldmax - s0588", "Inmortal", "Tulach", "Gen:nn.zexaf.34090", "Tsgeneric", "Heur:exploit.script", "Freemake", "Gen:variant.symmi", "Blacknet rat", "Trojanbanker.banbra", "Scrinject.eric", "Redline", "Redirector.an", "Downloader.opencandy", "Js:trojan.hidelink 2", "Tel:trojan:html/phishing", "Bscope.trojandownloader", "Html:redirme", "Js:trojan.clicker", "Mirai", "Mimikatz - s0002", "Gen:variant.tedy hacktool.vulndriver", "Packed.dico", "Cl0p", "Qvm05.1.08e5.malware", "W32.hfsautob", "Trojan.downloader33", "Win32.pdf.alien", "Tool.patcher", "Unsafe.ai_score_94%", "Bscope.trojan" ], "industries": [ "Health" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69e30ffa710fafb6d651ca89", "name": "Kelowna detachment - British Columbia by streamminingex", "description": "", "modified": "2026-04-18T05:46:36.582000", "created": "2026-04-18T05:00:42.166000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6570a552ac0b6570454709f7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1354, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1401, "email": 62, "domain": 1239, "CIDR": 8 }, "indicator_count": 11599, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e30ffde212f52470137868", "name": "Kelowna detachment - British Columbia by streamminingex", "description": "", "modified": "2026-04-18T05:46:26.897000", "created": "2026-04-18T05:00:45.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6570a552ac0b6570454709f7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1358, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1405, "email": 62, "domain": 1242, "CIDR": 8 }, "indicator_count": 11610, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d00b0ea85aaf98736", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.954000", "created": "2026-04-04T19:46:05.954000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d28330920cf77f5b0", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.437000", "created": "2026-04-04T19:46:05.437000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7c0f0657edc9c6d735", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:04.113000", "created": "2026-04-04T19:46:04.113000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7bc549fa66f964d19b", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:03.621000", "created": "2026-04-04T19:46:03.621000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2510383ceef34ed4df669", "name": "CAPE Sandbox", "description": "https://www.virustotal.com/gui/file/0cfb4d7ef8ad0e0378eb022ef107a0a6cc97e7e111228098e68ea8ac1c975a7e/relations", "modified": "2026-03-24T08:53:23.675000", "created": "2026-03-24T08:53:23.675000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 67, "FileHash-MD5": 131, "FileHash-SHA1": 109, "FileHash-SHA256": 109, "URL": 112, "domain": 82, "hostname": 126, "email": 1 }, "indicator_count": 737, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c25100c3e5a6096402ade5", "name": "CAPE Sandbox", "description": "https://www.virustotal.com/gui/file/0cfb4d7ef8ad0e0378eb022ef107a0a6cc97e7e111228098e68ea8ac1c975a7e/relations", "modified": "2026-03-24T08:53:20.270000", "created": "2026-03-24T08:53:20.270000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 67, "FileHash-MD5": 131, "FileHash-SHA1": 109, "FileHash-SHA256": 109, "URL": 112, "domain": 82, "hostname": 126, "email": 1 }, "indicator_count": 737, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c24230375c48e25e93161c", "name": "CAPE Sandbox", "description": "no problems.", "modified": "2026-03-24T08:08:11.711000", "created": "2026-03-24T07:50:08.453000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 277, "FileHash-SHA1": 232, "FileHash-SHA256": 232, "IPv4": 134, "URL": 260, "domain": 180, "hostname": 191, "email": 1 }, "indicator_count": 1507, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916d97edb28b2616ffac3ab", "name": "njRAT| BazarLoader| Darkside 2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "", "modified": "2025-11-14T07:41:19.912000", "created": "2025-11-14T07:25:50.524000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4037, "hostname": 2241, "URL": 2516, "FileHash-MD5": 1224, "FileHash-SHA1": 783, "FileHash-SHA256": 2796, "CVE": 10, "email": 25 }, "indicator_count": 13632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "git.io", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "git.io", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://git.io/v2ray.sh", "status": "offline", "threat": "malware_download", "date_added": "2021-12-10", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1776692045.4744084 }