{ "type": "Domain", "indicator": "network-pre.target", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/network-pre.target", "alexa": "http://www.alexa.com/siteinfo/network-pre.target", "indicator": "network-pre.target", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3863985168, "indicator": "network-pre.target", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a16ac90f5b7cde86d323464", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:24.654000", "created": "2026-05-27T08:34:24.654000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16ac89787e428fe0f7b045", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:17.204000", "created": "2026-05-27T08:34:17.204000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6659ea571eab262a3942e77c", "name": "system.img - Unidentified Android Ext4 filesystem pulled from my machine", "description": "Honestly I can't recall where I fished this out of, but I had stashed it on a cloud storage drive for later exploitation, which is what this is. At current, I don't have the slightest clue what it is or what it was doing on my computer. But with majority of the */bin/ files coming back as symlinks to */bin/toybox I'm assuming it's nothing that'd enhance my day to day life for the better. Standby for further analysis. At current these are just the SHA256's of the filesystem itself.", "modified": "2024-05-31T15:18:47.112000", "created": "2024-05-31T15:18:47.112000", "tags": [ "mntdevfb0", "mntdevhda1", "mntdevhda3", "mntdevkmem", "mntdevmem", "mntdevmmcblk0p1", "mntdevmmcblk0p3", "mntdevmtd0", "mntdevmtd2", "mntdevmtd4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1991, "domain": 70 }, "indicator_count": 2063, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "731 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6605781ad51380e5b1c22815", "name": "haul from the last two weeks of wrangling - presumed malware and IOC's found on my personal devices", "description": "nearing the two year mark of the first initial attack - unfortunately OTX was only able to pull domains from the large majority of files uploaded which seems to be a built in anti-debug feature and goes with the theme and \"look & feel\" of this latest iteration being that most of them were somehow someway remote and acting as a net file system on my machine", "modified": "2024-04-27T02:04:29.606000", "created": "2024-03-28T14:00:58.809000", "tags": [ "dddf", "target", "dddj", "path", "base o", "base", "backupfile", "base rw", "exit", "date", "hell", "gnu libtool", "please do", "linker", "lsmime3 lnss3", "lplc4 lnspr4", "ludev", "directory", "lmagic ljansson", "feugiat", "lorem ipsum", "nulla facilisi", "malesuada", "etiam tempor", "suspendisse", "consectetur", "bibendum", "amet", "eget aliquet", "basesectors", "date echo", "default", "label", "kernel", "append rhgb", "clsid", "systemroot", "webbrowser", "ispell", "imagemagick", "flex", "zle c", "whois", "locate", "rubber", "chown", "ruby", "ninja", "pacman", "restart", "kill", "django", "mark", "repl", "service", "term", "mkdir", "borg", "black", "conan", "dolphin", "dotnet", "hello", "john", "generic", "find", "shutdown", "mozilla", "first", "subsystem", "action", "goto", "load", "devtype", "idnetdriver", "drivers", "program", "interface", "nmunmanaged", "ethernet", "mac prefix", "attr", "virtualbox host", "mac address", "interface name", "hello world", "unit", "timer", "onbootsec5min", "install", "wait online", "networkmanager", "edit", "note", "typeoneshot", "cloud", "optin", "helper", "for testing", "only", "restrict", "grant", "enable debug", "trace", "killmodeprocess", "typedbus", "reload", "capdacoverride", "dhcp etc", "include", "yara", "cflags", "libs", "xxx remove", "the author", "this software", "isc license", "copyright", "schlueter", "permission", "software is", "provided", "as is", "disclaims all", "direct", "require", "semver", "comparator", "range", "releasetypes", "simple", "tilde", "09azaz", "prerelease", "same", "beta", "semverrangesgtr", "semverrangesltr", "coerce version", "ranges", "alpha", "standalone", "exits", "null", "false", "reverse", "compare", "a javascript", "copyright isaac", "typeerror", "maxsafeinteger", "maxlength", "break", "error", "number", "drop", "same direction", "symbol", "comp", "const", "caret", "flagloose", "xrange", "parse", "identifier", "object", "match", "string", "walk", "manually", "stop", "highhaspre", "major", "minor", "patch", "istanbul", "preminor", "index", "regexp", "build metadata", "meaning", "replace", "token", "zero", "star", "infinity", "return", "a cache", "build status", "coverage status", "the same", "options", "before", "lrulist", "cache", "length", "dispose", "maxage", "allowstale", "nodisposeonset", "yallist", "node", "array", "head", "function", "tail", "start", "insert", "just", "node object", "barbar", "array method", "default export", "any comparator", "complex range", "simple range", "c1 c2", "outer", "every simple", "ecomp", "must", "clone", "case", "ignore", "setmin", "determine", "version", "typeof", "contribute", "status", "node package", "manager", "benchmark suite", "installation", "direct download", "ql https", "node version", "usage", "project", "calendar", "package", "source", "license", "source form", "perl foundation", "distributor fee", "distribute", "standard", "neither", "module", "basecommand", "lifecyclecmd", "base command", "pacote", "browser", "workspace", "pkgname", "await", "boolean", "base class", "wrapwidth", "chalk", "command", "config", "npmcliconfig", "logfile", "timers", "display", "location", "audit", "arboristcmd", "arborist", "global", "whoami", "async", "json", "view", "pref", "pckmnt", "resolve", "utf8", "libnpmversion", "unstar", "update", "save", "omit", "packagelock", "dryrun", "force", "libnpmaccess", "spec", "uninstall", "todo", "enoent", "enotdir", "test", "scriptshell", "scope", "team", "create", "user", "libnpmteam", "destroy", "table", "list", "cidr", "stars", "eneedauth", "shrinkwrap", "rename", "npmcliarborist", "value", "unicode", "sbom", "cyclonedx", "build", "sbomformats", "response", "software bill", "look", "script", "runscript", "indent", "root", "minipass", "search", "pipeline", "filterstream", "libnpmsearch", "long", "grab", "packageurlcmd", "repo", "info", "repo const", "rebuild", "reifycmd", "publish", "libnpmpack", "npmclirunscript", "prune", "remove", "prefix", "args", "queryable", "packagejson", "pong", "cleanurl", "registry", "pack", "load tarball", "noise", "query", "edge", "etarget", "e403", "e404", "outdated", "homepage", "developer", "admin", "owner", "libnpmorg", "npmfetch", "logout", "getauth", "invalid", "parent", "depth", "type", "filteredby", "dedupe", "problems", "login", "link", "util", "installcitest", "runs", "prop", "password", "profile", "mode", "email", "twitter", "hook", "libnpmhook", "init", "wpath", "installtest", "complete", "globaltop", "help", "viewer", "glob", "pattern", "file", "globify", "explore", "shell", "handle", "fund", "which", "fundingsource", "archy", "explain", "helpsearch", "text", "part", "editor", "editor const", "childprocess", "check", "nodemodules", "docs", "promisify", "doctor", "cacache", "mask", "win32", "disttag", "packagespec", "semver range", "delete", "diff", "workspacepath", "actualtree", "libnpmdiff", "deprecate", "message", "write", "clean", "spawn", "compline", "comppoint", "compcword", "epipe", "completion", "compfish", "os x", "bugs", "report", "adduser", "exec", "libnpmexec", "localprefix", "runpath", "skip", "public key", "npmauditreport", "access", "item", "finddupes", "syntaxerror", "getcli", "eventemitter", "abort", "ssri", "columnify", "bundled", "tarball details", "sha1", "daily", "latest", "check daily", "weekly", "cyclonedxschema", "cyclonedxformat", "proppath", "propbundled", "propdevelopment", "propextraneous", "propprivate", "refvcs", "refwebsite", "crypto", "readpassword", "readusername", "reademail", "enter", "enter otp", "otpprompt", "afaf09", "passwordprompt", "auditerror", "getfundinginfo", "json output", "data", "append", "maybeindex", "ontimeend", "name", "returns", "noassertion", "spdxidentifer", "spdxdatalicense", "reldescribes", "reldep", "reftypepurl", "spdxid", "eotp", "e401", "setinterval", "npmlog", "proclog", "maxlogsperfile", "fsminipass", "open", "colmax", "colmin", "colgutter", "quick help", "convert", "b return", "mb return", "gb return", "sigint", "readline", "prompt", "promise", "eresolve error", "overridden", "peer", "extraneous", "optional", "isworkspace", "maxlen", "code", "unfinished", "notice", "isshellout", "matcherrorcode", "devnull", "npmcompletion", "compwords", "compreply", "o default", "f npmcompletion", "ifs compadd", "fish shell", "l cmd", "taken", "comp stuff", "lx compline", "abbrev", "please", "enyi", "json version", "cygwin", "c1 control", "numbers", "x09 x0a", "10000", "nodemodulesnpm", "builtin", "npmrc", "notsup", "notarget", "nospc", "rofs", "author", "npmclifs", "minimatch", "pathtofoo", "relative", "synopsis", "description", "field", "person", "configuration", "whether", "premajor", "prepatch", "prevents", "run git", "upgrade", "examples", "will", "shareman", "cidr whitelist", "please refer", "tokenid", "eslint", "c eslint", "compatibility", "older", "versions", "nodeoptions", "details", "output", "example", "posix", "unstarring", "lcall", "starring", "lock", "materials", "spdx", "lodash", "nodeenv", "initcwd", "boolean set", "boolean tells", "windows", "unix", "selector", "use cases", "queries", "equivalent", "boolean show", "nocolor environ", "cli look", "boolean force", "dependency", "json object", "production", "files", "cicd system", "property", "change", "url opener", "basic auth", "allow", "description a", "removes", "semvermajor", "ping https", "ping http", "found", "get http", "example add", "json format", "handy", "display prefix", "g usrlocal", "mycorp", "associate", "deprecated", "libnodemodules", "caveat note", "workspace usage", "string override", "tarball", "githubrepo", "initializer", "usrfoo", "forwarding", "suppose", "commandsnpm", "hooks", "url endpoint", "browse", "consider", "ci environment", "string optional", "promzard", "top level", "expect", "javascript", "it staff", "https", "cli team", "ecmascript", "readme", "package current", "latest location", "depended", "git repos", "git dependency", "newest version", "modify package", "description add", "show", "purpose tags", "tags", "keyvalue", "16 16", "boolean ignore", "boolean do", "string source", "treat", "example make", "grep", "travis ci", "details npm", "localappdata", "tab completion", "bulk advisory", "sha256publickey", "endpoint", "quick audit", "set access", "that user", "scoped", "python", "description npm", "node javascript", "important npm", "introduction", "c code", "unix system", "integrity", "provide", "facilitate", "cli tool", "handling old", "lockfiles", "file format", "legacy", "urls", "spdx license", "most", "barney rubble", "specify", "github", "dependencies", "github urls", "node installer", "linux", "overview", "windows node", "prefixetcnpmrc", "variablename", "home", "comments", "peruser config", "global config", "builtin config", "auth", "cycles", "local install", "global install", "appdata", "below", "please note", "stage", "after", "life cycle", "runs after", "post scripts", "scripts", "slate", "synopsis so", "rf usrlocal", "modules", "with", "laf usrlocal", "l npm", "description all", "installing", "myorgmypackage", "requiring", "publishing", "private modules", "scopes", "apis", "auth related", "does", "package name", "aliases", "folders", "os equivalent", "tarballs", "teams", "orgs", "super admin", "team admins", "developer guide", "description so", "be explicit", "blank", "standard glob", "link packages", "syntax", "selectors", "querying", "log file", "location all", "log levels", "information", "headers", "logs", "alias", "certificate", "format", "docext", "content", "descriptions", "shorthands", "keyb", "print", "dir1", "manual", "input", "line", "process", "display help", "dirs", "get contents", "maxdepth", "contents", "u2665 bxe5r", "ud834udf06 baz", "single", "cssesc", "usage arborist", "commands", "options most", "npm install", "npm rm", "time", "silent", "fetch", "conf", "handler", "extract", "additional", "jackspeak", "jack", "glob v", "expand", "drive letter", "never", "true", "rob browning", "gnu library", "general", "public license", "license file", "future import", "adderror", "cdfq", "charles levert", "egrep", "egrepegrep", "fgrepfgrep", "grepgrep", "svr4 grepegrep", "times", "attributeerror", "fixcygwinid", "enhanced", "false try", "false assert", "tsns", "inetaddress", "none", "return value", "unixaddress", "localrepo", "httpserver", "valueerror", "resourcepath", "exception", "eoferror", "c version", "bytesio", "offset", "binary", "ascii", "baseversion", "commit", "throw", "in n", "send", "data end", "if 10", "copy", "send logoutn", "exitatoi", "tmplink", "lcallc binls", "varlogsetup rm", "sf tmp", "slackware", "system console", "entry", "ansi mode", "b007e", "slackware ftp", "cdrom", "miquel van", "smoorenburg", "okay", "minix", "fixme", "overwrite", "connect", "ssh connection", "subcmd", "bbupttywidth", "bupforcetty", "hashsplitter", "b options", "false def", "hack", "kbytesr", "srcpath", "tmptagfiles", "device", "tmpreply", "reply", "including", "but not", "quotesplit", "quoteerror", "not word", "split line", "mainselect", "tpxetcfstab", "select", "slackware linux", "varlogmount", "anything", "tmpswapmsg", "swappart", "ndir", "swaplist", "tmpsetswap", "linux swap", "swap space", "redir", "linux fdisk", "tmptmpscript", "eof fi", "instsets", "gnome", "tmpsetds", "tmpsetseries", "gnu emacs", "gnome desktop", "linux kernel", "k desktop", "uucp", "tmp fi", "tmpsettpx", "tpxetcshadow", "root password", "detected", "internet", "press", "linux native", "partitions", "tmpreturn", "nodes", "nextpartition", "rootdevice", "mtpt", "size", "formatting", "doformat", "main", "done", "sourcemedia", "tmpmedia", "source media", "selection", "slackware cd", "network file", "tmpsetreturn", "maketag", "choice", "mount", "tagext", "tmpsetnewtag", "tmpsettagmake", "sorry", "tmpsetkeymap", "mapname", "moorhead", "keyboard map", "us keyboard", "updown", "copying", "kernel chmod", "kernel rdev", "lilo", "fullerr", "tmpsettestfull", "partition full", "setup", "altf2", "slackware setup", "dospart", "newdir", "tmptempscript", "tmpsetdos", "partition", "ntfs", "doslist", "installscripts", "tpxproc", "atapi cd", "kerberos", "file transfer", "iana", "appletalk", "network", "control", "secure shell", "chat", "contact", "prospero", "outtag", "outshift", "if 30", "conn", "setmode", "dumb", "smart", "clienterror", "rather", "stopiteration", "firstexclusion", "appendcommit", "firstbranchitem", "filterbranch", "origtip", "oldnew", "remoterepo", "group", "prevpath", "sisdir import", "dangerous", "count", "subcount", "ioerror", "oserror", "gitmodetree", "gitmodefile", "gitmodesymlink", "stack", "nonlocal", "revision", "presdir", "admdirpackages", "warn", "tmprequiredlist", "trigger", "arch", "procscsiscsi", "luns", "scsi", "ax1b", "skript", "scsi bus", "kurt garloff", "gnu gpl", "ieee1394", "l found0", "nextrepoid", "repoid", "realpath", "usb keyboard", "d libmodules", "nousb", "procbususb a", "procbususb fi", "load input", "q input", "inet system", "hostname", "attach", "etcmotd", "newdisk", "scan", "slackkernel", "ram disk", "r sbp2", "r ieee1394", "firewire", "noieee1394", "q ieee1394", "attempt", "use f", "none def", "return password", "return none", "passwd", "nametopwdcache", "gidtogrpcache", "nametogrpcache", "tagfile", "prompt mode", "help software", "less", "removepkg", "gnu cc", "linux source", "pkgtool", "proccmdline", "termvt100", "termlinux", "homeroot lessmm", "ps1u", "home path", "display less", "term ps1", "kind", "branch", "period", "tmpsetfdisk", "minor elif", "smashedline", "l dev", "tmpsetfdisk fi", "probe", "mylex", "raid", "disksets", "packagedir", "blurb", "sourcedir", "tmptmpmsg", "tmptagfile", "media", "pcmcia", "umountcdrom", "o ro", "floppy", "pcmcia andor", "cardbus", "usedflopfalse", "libdir", "libdir exedir", "bcmd", "exedir", "openssl set", "packageversion", "versiongreater", "invert", "optdict", "intify", "limited to", "sockets layer", "argv", "normally", "shutwr", "sigexception", "demuxconn", "pipe import", "demultiplex", "openssl", "debug", "opensslversion", "static imported", "target openssl", "cmake", "shared imported", "fatalerror", "obex", "import", "stringio import", "obex service", "bdaddr channeln", "ascii character", "alength", "notfoundreturn", "use nis", "nis version", "name service", "switch config", "legal", "use dns", "domain name", "os2 boot", "os2 fdisk", "partition magic", "boot manager", "tcpip subsystem", "nfs install", "network support", "make", "sample file", "zip disk", "zip drive", "first scsi", "first ide", "atari", "solaris", "drive x", "zip100", "linkdir", "linkdir fi", "tmp directory", "asap", "linkdir tmp", "indexerror", "want", "midxversion", "wrapper", "multiple index", "filename", "desiredhwm", "domidx", "exitstack", "total", "option", "c option", "vmsize", "vmrss", "vmdata", "vmstk", "majflt", "september", "guess object", "longmatch", "raid device", "devrd", "devname", "concord", "applyerror", "metadata", "einval", "macos", "frozen", "fifo", "common code", "faildelay", "faillogenab", "logunkfailenab", "logoklogins", "lastlogenab", "mailcheckenab", "quotasenab", "syslogsuenab", "syslogsgenab", "console console", "ttywidth", "baseexception", "pythonpath", "pipe", "sigismember", "xdropaqueauth", "libcpvalloc", "rtld", "gnu c", "library", "free software", "foundation", "gnu lesser", "general public", "merchantability", "refs", "keyerror", "important", "carefully", "kwargs", "super", "true result", "priority", "pmsg", "crunch", "tmptempmsg", "localnetmask", "localipaddr", "upnrun", "ip address", "localgateway", "kversion", "eof dialog", "tmpmask", "localnetwork", "slackdevice", "fgrep", "ftp site", "tmpsetmount", "reboot machine", "tmpwhichdrv", "tmpsetmount cat", "select floppy", "drive", "tmptempmsg exit", "tmptempmsg mv", "tmpsourcedir", "drivefound", "cddvd", "rdir", "cddvd drive", "tmpsetcddev", "ide bus", "tmperrordo exit", "third", "login binsh", "l ttys0", "l ttys1", "x0 s", "reboot", "stuff", "bupdir", "iterhelper", "next", "none d", "indexhdr", "ixexists", "ixhashvalid", "ixshamissing", "indexsig", "entlen", "footersig", "tmpdir", "experimental", "bdupcache", "brestore", "bindex", "agulbra", "tcpip", "linux box", "hlinkdb", "verify", "maxpertree", "bupblobbits", "buptreeblobbits", "giterror", "mpicount", "bupnormal", "bupchunked", "refresh", "close", "dump", "dest", "commonargs", "ref dest", "pick", "btree", "missingobject", "bloom filter", "existingcount", "idxlivecount", "ram budget", "bupfs", "importerror", "fuse", "verbose", "fakemetadata", "fsdecode", "ptraceerror", "ptracesetregs", "cpu64bits", "ptraceattach", "ptracedetach", "ptracesyscall", "cpuwordsize", "runningbsd", "ext2", "proc proc", "commanderror", "optionerror", "lcctype", "iso88591", "localrepo repo", "sbine2fsck", "bfailed", "elif", "bcanary", "posix acls", "linux partition", "move", "pgdnspace", "olargefile", "onofollow", "xdev", "xdevxdev", "dirlist", "prepend", "cyan", "white", "blue", "dialog box", "yellow", "active button", "inactive button", "search box", "input box", "green", "excluderxs", "doit", "s seed", "this command", "is extremely", "dangerous n", "chunksize", "socket", "return hex", "supports python", "rethrow", "hostrs", "bnone", "bload", "branchpath", "snapshotroot", "snapshot", "tmpidx", "bashsource", "bashlineno", "int dryrun", "importing", "ux f", "sbinbrc", "eof binsync", "unmounting file", "devnull echo", "rest", "first assert", "existing", "restcount", "none path", "maxbloombits", "bloomversion", "maxbitseach", "discussion", "k4 k5", "k6 k7", "k8 k9", "rvatoi", "exitrv", "exit 1", "noblock", "sisdir", "sislnk", "writetree", "rawtreeitem", "splittreeitem", "metadataro", "meta", "builtmodulename", "dkms", "packagename", "autoinstall", "kernelrelease", "kbuild", "kerneluname", "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "later", "tls1", "fbtfr", "fbfr", "apache http", "fbefr", "fbhfr", "fbabfr", "http", "keepalive", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "getprocaddress", "access type", "ck id", "observed ja3", "mitre att", "show technique", "suspicious", "hybrid", "click", "delphi", "strings", "malicious", "february", "middle", "exploit", "gameover", "hybrid analysis", "api key", "vetting process", "ck matrix", "accept", "memoryfile scan", "invalid octet", "falcon sandbox", "tmpp59thrck", "informative", "name tactics" ], "references": [ "itl-logo.txt", "empty.exe", "libnm.la", "libyara.la", "sunjava_map.xml", "lorem.txt", "stage2", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "syslinux.cfg", "x.jnlp", "desktop.ini", "a.txt", "a.txt:ads.txt", "dir:ads.txt", "b.txt:ads.txt", "no_ads.txt", ".:ads.txt", "b.txt", "nm-shared.xml", ".zcompdump-m1904-5.9", ".zcompdump", "90-nm-thunderbolt.rules", "84-nm-drivers.rules", "85-nm-unmanaged.rules", "???? ????????.txt", "notes.txt", "notes.txt:ads", "nm-cloud-setup.timer", "NetworkManager-wait-online.service", "nm-cloud-setup.service", "nm-priv-helper.service", "NetworkManager-dispatcher.service", "NetworkManager.service", "NetworkManager-ovs.conf", "nm-pppd-plugin.la", "yara.pc", "libnm.pc", "preload.js", "LICENSE", "index.js", "range.bnf", "package.json", "README.md", "semver.js", "comparator.js", "range.js", "valid.js", "sort.js", "satisfies.js", "rsort.js", "rcompare.js", "prerelease.js", "patch.js", "neq.js", "minor.js", "major.js", "lt.js", "inc.js", "parse.js", "gt.js", "eq.js", "gte.js", "compare-loose.js", "compare.js", "clean.js", "cmp.js", "coerce.js", "compare-build.js", "diff.js", "lte.js", "parse-options.js", "identifiers.js", "debug.js", "constants.js", "re.js", "yallist.js", "iterator.js", "subset.js", "to-comparators.js", "outside.js", "min-version.js", "min-satisfying.js", "max-satisfying.js", "ltr.js", "simplify.js", "intersects.js", "gtr.js", "npmrc", "cli.js", "lifecycle-cmd.js", "cli-entry.js", "package-url-cmd.js", "base-command.js", "npm.js", "arborist-cmd.js", "whoami.js", "view.js", "version.js", "unstar.js", "update.js", "unpublish.js", "uninstall.js", "test.js", "team.js", "stop.js", "start.js", "token.js", "stars.js", "shrinkwrap.js", "set.js", "star.js", "sbom.js", "run-script.js", "root.js", "search.js", "repo.js", "restart.js", "rebuild.js", "publish.js", "prune.js", "prefix.js", "pkg.js", "ping.js", "pack.js", "query.js", "outdated.js", "org.js", "owner.js", "logout.js", "ls.js", "ll.js", "login.js", "link.js", "install-ci-test.js", "profile.js", "hook.js", "init.js", "install-test.js", "install.js", "help.js", "explore.js", "fund.js", "explain.js", "help-search.js", "get.js", "edit.js", "docs.js", "doctor.js", "dist-tag.js", "dedupe.js", "deprecate.js", "ci.js", "config.js", "completion.js", "bugs.js", "adduser.js", "exec.js", "audit.js", "access.js", "cache.js", "find-dupes.js", "validate-engines.js", "web-auth.js", "tar.js", "update-notifier.js", "sbom-cyclonedx.js", "replace-info.js", "read-user-info.js", "reify-output.js", "queryable.js", "timers.js", "validate-lockfile.js", "sbom-spdx.js", "otplease.js", "pulse-till-done.js", "log-shim.js", "log-file.js", "npm-usage.js", "get-identity.js", "format-bytes.js", "open-url-prompt.js", "explain-eresolve.js", "explain-dep.js", "exit-handler.js", "open-url.js", "did-you-mean.js", "completion.sh", "completion.fish", "cmd-list.js", "auth.js", "audit-error.js", "is-windows.js", "display.js", "reify-finish.js", "error-message.js", "format-search-stream.js", "installed-shallow.js", "installed-deep.js", "update-workspaces.js", "get-workspaces.js", "npm-view.md", "npm-version.md", "npm-uninstall.md", "npm-token.md", "npx.md", "npm-team.md", "npm-stop.md", "npm-unstar.md", "npm-start.md", "npm-star.md", "npm-test.md", "npm-shrinkwrap.md", "npm-stars.md", "npm-sbom.md", "npm-root.md", "npm-run-script.md", "npm-restart.md", "npm-rebuild.md", "npm-query.md", "npm-search.md", "npm-prune.md", "npm-publish.md", "npm-profile.md", "npm-repo.md", "npm-whoami.md", "npm-pkg.md", "npm-pack.md", "npm-ping.md", "npm-org.md", "npm-owner.md", "npm-prefix.md", "npm-login.md", "npm-logout.md", "npm-link.md", "npm-install-ci-test.md", "npm-install.md", "npm-init.md", "npm-update.md", "npm-help-search.md", "npm-hook.md", "npm-help.md", "npm-find-dupes.md", "npm-explore.md", "npm-unpublish.md", "npm-exec.md", "npm-ls.md", "npm-edit.md", "npm-doctor.md", "npm-fund.md", "npm-outdated.md", "npm-docs.md", "npm-dist-tag.md", "npm-config.md", "npm-diff.md", "npm-ci.md", "npm-cache.md", "npm-bugs.md", "npm-completion.md", "npm-audit.md", "npm-access.md", "npm.md", "npm-install-test.md", "npm-adduser.md", "npm-dedupe.md", "package-lock-json.md", "package-json.md", "npm-shrinkwrap-json.md", "install.md", "npmrc.md", "folders.md", "workspaces.md", "scripts.md", "removal.md", "scope.md", "registry.md", "package-spec.md", "orgs.md", "developers.md", "dependency-selectors.md", "logging.md", "config.md", "node-which", "mkdirp", "qrcode-terminal", "installed-package-contents", "cssesc", "color-support", "arborist", "pacote", "glob", "empty", "xstat (2).py", "zgrep", "xstat.py", "wtmp", "web.py", "vt300", "vt300 (2)", "vt100 (3)", "vt100", "vint.py", "version (2).py", "version.py", "vdecmd", "unmigrate (2).sh", "unmigrate.sh", "tick.py", "termcap (2)", "termcap", "tag.py", "syslinux (2).cfg", "syslog.conf", "syslog (2).conf", "styles.css", "stdcrt (2)", "std (2)", "stage2 (3)", "stage2 (2)", "std", "ssh.py", "source_info.py", "split.py", "slackinstall", "stdcrt", "shells", "shells (2)", "shquote.py", "shadow (2)", "shadow", "setup (2)", "SeTswap (2)", "SeTPKG (2)", "setup", "SeTswap", "SeTpasswd (2)", "SeTpasswd", "SeTnopart (2)", "SeTpartitions (2)", "SeTnopart", "SeTPKG", "SeTmedia (2)", "SeTpartitions", "SeTmedia", "SeTmaketag", "slackinstall (2)", "SeTkeymap (2)", "SeTmaketag (2)", "SeTkernel", "SeTfull (2)", "SeTkernel (2)", "SeTfull", "SeTfdHELP", "SeTfdHELP (2)", "SeTkeymap", "SeTDOS (2)", "SeTconfig (2)", "services (2)", "SeTDOS", "SeTconfig", "services", "sendcmd.rc", "securetty (2)", "securetty", "server.py", "rm.py", "restore.py", "rm (2).py", "save.py", "removepkg", "rescan-scsi-bus", "removepkg (2)", "README (2)", "README", "repo.py", "rc.usb", "rc.inet1", "rc.S", "rc.ieee1394", "random.py", "pwdgrp.py", "PROMPThelp (2)", "profile (2)", "prune_older.py", "profile", "probe (2)", "probe", "pkgtool", "pkgtool (2)", "pcmcia", "path.py", "passwd (2)", "passwd", "OpenSSLConfigVersion.cmake", "options.py", "PROMPThelp", "openssl.pc", "openmachine.rc", "on__server.py", "on.py", "OpenSSLConfig.cmake", "obexstress", "nsswitch (2).conf", "nsswitch.conf", "nopartHELP (2)", "nopartHELP", "networks (2)", "networks", "network", "mux.py", "mtools (2).conf", "mtools.conf", "mtab (2)", "mtab", "motd (2)", "motd", "modules.pcimap", "modules.pnpbiosmap", "modules.parportmap", "modules.usbmap", "modules.isapnpmap", "modules.ieee1394map", "modules.generic_string", "modules.dep", "migrate (2).sh", "migrate.sh", "midx.py", "midx (2).py", "meta.py", "memtest.py", "margin.py", "makedevs (2).sh", "makedevs.sh", "metadata.py", "ls (2).py", "ls.py", "login (2).defs", "main.py", "login.defs", "list_idx.py", "libssl.pc", "libnm-wwan.la", "libnm-ppp-plugin.la", "libnm-device-plugin-wwan.la", "libnm-device-plugin-wifi.la", "libnm-device-plugin-team.la", "libnm-device-plugin-bluetooth.la", "libnm-device-plugin-ovs.la", "libnm-device-plugin-adsl.la", "libcrypto.pc", "libc6-i386_2.31-0ubuntu6_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.info", "libc6-i386_2.30-4_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "libc6-i386_2.30-4_amd64.info", "libc6-i386_2.30-4_amd64.symbols", "libc6-i386_2.30-0ubuntu2_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.info", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "libc6-i386_2.29-0ubuntu2_amd64.url", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "libc6-i386_2.29-0ubuntu2_amd64.info", "libc6-i386_2.28-10_amd64.url", "libc6-i386_2.28-10_amd64.info", "libc6-i386_2.28-10_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.info", "libc6-i386_2.27-3ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.url", "libc6-i386_2.26-0ubuntu2_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.url", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "libc6-i386_2.24-11+deb9u4_amd64.url", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.url", "libc6-i386_2.24-9ubuntu2_amd64.info", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.url", "libc6-i386_2.23-0ubuntu11_amd64.url", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.info", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "libc6-i386_2.23-0ubuntu11_amd64.info", "libc6-i386_2.23-0ubuntu10_amd64.url", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "libc6-i386_2.23-0ubuntu10_amd64.info", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "libc6-i386_2.23-0ubuntu3_amd64.info", "libc6-i386_2.21-0ubuntu4_amd64.url", "libc6-i386_2.23-0ubuntu3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.info", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "libc6-i386_2.19-18+deb8u10_amd64.url", "libc6-i386_2.19-18+deb8u10_amd64.symbols", "libc6-i386_2.19-18+deb8u10_amd64.info", "libc6-i386_2.19-10ubuntu2_amd64.url", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "libc6-i386_2.19-10ubuntu2_amd64.info", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "libc6-i386_2.17-93ubuntu4_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.info", "libc6-i386_2.17-0ubuntu5_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "libc6-i386_2.17-0ubuntu5_amd64.info", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "libc6-i386_2.15-0ubuntu20_amd64.url", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "libc6-i386_2.15-0ubuntu10_amd64.info", "libc6-i386_2.15-0ubuntu10_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.info", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.url", "libc6-i386_2.13-20ubuntu5_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "libc6-i386_2.13-0ubuntu13_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.url", "libc6-i386_2.9-4ubuntu6_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "libc6-i386_2.7-10ubuntu3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.info", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.info", "libc6-i386_2.4-1ubuntu12_amd64.url", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "libc6-i386_2.4-1ubuntu12_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "libc6-i386_2.4-1ubuntu12.3_amd64.info", "libc6-i386_2.5-0ubuntu14_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "ldd", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "ld.so (2).conf", "ld.so.conf", "join.py", "itl-logo (3).txt", "itl-logo (2).txt", "issue", "issue (2)", "io.py", "installpkg", "INSNFS (2)", "installpkg (2)", "INSNFS", "INShd", "INShd (2)", "INSfd (2)", "INSfd", "INSdir (2)", "INSdir", "INSCD", "INSCD (2)", "inittab (2)", "inittab", "init.py", "__init__ (2).py", "__init__.py", "index (2).py", "index.py", "import_duplicity.py", "hosts (2)", "hosts", "host (2).conf", "host.conf", "HOSTNAME", "hlinkdb.py", "help.py", "helpers.py", "HOSTNAME (2)", "hashsplit.py", "group (2)", "group", "gc (2).py", "git.py", "get.py", "gc.py", "fuse.py", "func.py", "fstab (2)", "fstab", "ftp.py", "fsck (2).ext2", "fsck (2).ext3", "fsck.ext3", "fsck.ext2", "fsck.py", "filesize", "features.py", "fdisk (2)", "fdisk", "FDhelp (2)", "FDhelp", "empty (3)", "empty (2)", "drecurse.py", "dialogrc", "dialogrc (2)", "disk2 (2)", "drecurse (2).py", "disk2", "damage.py", "daemon.py", "compat.py", "closemachine.rc", "checkout_info.py", "cfdisk (2)", "client.py", "cfdisk", "cat_file.py", "bup-import-rsnapshot", "bup-import-rdiff-backup", "brc (2)", "brc", "bloom (2).py", "bloom.py", "asyncrecv.rc", "90-nm-cloud-setup.sh", "vfs.py", "tree.py", "template-WaR2X6", "a1676298638", "a4033901479", ".X1-lock", ".X0-lock", ".X1024-lock", "b3336837578", "MozillaUpdateLock-7A4D7A8EFFB43502", "imurmurhash.min.js", ".X1025-lock", "murmur2", "b529967783", "empty.lock~", "ab.1", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 297, "email": 8, "hostname": 204, "URL": 382, "FileHash-SHA1": 7, "CVE": 2, "FileHash-MD5": 45, "FileHash-SHA256": 5 }, "indicator_count": 950, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "765 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661db37bf549518bf6f7f377", "name": "Backup from 03-28-24 - Systemd dump, malicious ssh and sshd files, libsystemd-vore libsystemd-shared plus supporting php files", "description": "Ignoring the yara and eicar files - I was able to recover a partition use for backups from 03/25/24-03/29/24; the day of the XZ supply chain disclosure. This is a preliminary dump with accompanying analysis and sha1, and 256's of my /usr/lib/systemd directory which housed multiple suspect ssh sub directories plus malicous libsystemd-shared and libsystemd-core binaries, and all supporting config, dev, service, and binaries. Dig in.", "modified": "2024-04-23T14:28:30.317000", "created": "2024-04-15T23:08:43.746000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "fsck.ext2", "index (2).py", "sshuttle.service", "???? ????????.txt", "networks", "migrate (2).sh", "autovt@.service", "shadow.service", "pkg.js", "nvmf-connect.target", "rabbitmq.service", "serial-getty@.service", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "nfsv4-server.service", "ab.1", "gnome-keyring-daemon.socket", "gvfs-daemon.service", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "ftpd.service", "systemd-user-sessions.service", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "pipewire-pulse.service", "drkonqi-sentry-postman.service", "xdg-desktop-portal-xapp.service", "gcr-ssh-agent.service", "systemd-userdbd.socket", "dbus-org.freedesktop.machine1.service", "systemd-tmpfiles-setup.service", "libc6-i386_2.29-0ubuntu2_amd64.url", "systemd-networkd.service", "gnome-terminal-server.service", "rsort.js", "scripts.md", "metadata.py", "systemd-pcrphase-sysinit.service", "virtnetworkd.socket", "compare-loose.js", "to-comparators.js", "elasticsearch@.service", "systemd-homed-firstboot.service", "rsyncd.service", "systemd-boot-random-seed.service", "npm-install.md", "rescue.target", "patch.js", "20-root-verity.conf", "lvm2-lvmpolld.service", "systemd-nspawn@.service", "usb-gadget.target", "npm-cache.md", "intersects.js", "virtvboxd-ro.socket", "fastnetmon.service", "darkstat.service", "libc6-i386_2.4-1ubuntu12_amd64.url", "npm-update.md", "yara.pc", "timers.js", "mdmonitor.service", "pack.js", "input.pcap", "systemd-halt.service", "tracker-xdg-portal-3.service", "plasma-plasmashell.service", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "restore.py", "func.py", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "libvirtd.socket", "systemd-fsck@.service", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "ip2clued.service", "ip6tables.service", "dir:ads.txt", "satisfies.js", "integritysetup.target", "npm.md", "plymouth-switch-root.service", "flatpak-portal.service", "arch-audit.service", "gpg-agent@.service", "libnm-ppp-plugin.la", "syslog.conf", "systemd-resolved.service", "search.js", "INSdir", "unstar.js", "murmur2", "tor.service", "80-container-ve.network", "SeTmaketag", "syslog.socket", "initrd-cleanup.service", "rpc-statd-notify.service", "mtools (2).conf", "vt100", "libc6-i386_2.21-0ubuntu4_amd64.info", "doctor.js", "systemd-pcrphase-initrd.service", "range.bnf", "default.target", "gssuserproxy.socket", "console-getty.service", "init.py", "dbus-org.freedesktop.portable1.service", "systemd-fsck-root.service", "tinyproxy.service", "systemd-userdbd.service", "libc6-i386_2.24-3ubuntu1_amd64.info", "cssesc", "dirmngr@.socket", "gvmd.service", "greenbone-nvt-sync.timer", "systemd-modules-load.service", "on.py", "login.defs", "hv_kvp_daemon.service", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "greenbone-feed-sync.service", "systemd-bsod.service", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "libc6-i386_2.7-10ubuntu3_amd64.info", "bup-import-rdiff-backup", "runlevel1.target", "gvfs-mtp-volume-monitor.service", "systemd-sysext@.service", "npm-run-script.md", "bup-import-rsnapshot", "integritysetup-pre.target", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "alsa-restore.service", "suspend.target", "max-satisfying.js", "systemd-repart.service", "pipewire.service", "systemd.pt_BR.catalog", "nfs-client.target", "pulseaudio.service", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "usbmuxd.service", "dm-event.socket", "libvirtd-tls.socket", "systemd-soft-reboot.service", "systemd.de.catalog", "npm-uninstall.md", "systemd-tpm2-setup.service", "npm-fund.md", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "blockdev@.target", "identifiers.js", "gpsd.service", "tar.js", "pkgtool (2)", "pamac-daemon.service", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "initrd-udevadm-cleanup-db.service", "libc6-i386_2.31-0ubuntu6_amd64.url", "bmc-watchdog.service", "winbind.service", "virtstoraged.service", "lxc-auto.service", "kexec.target", "80-6rd-tunnel.network", "xdg-desktop-portal-rewrite-launchers.service", "wg-quick@.service", "developers.md", "SeTpasswd (2)", "modules.ieee1394map", "lifecycle-cmd.js", "systemd-ask-password-plymouth.service", "zfs-zed.service", "cups-lpd@.service", "initrd-root-fs.target", "npm-exec.md", "a.txt:ads.txt", "completion.fish", "systemd.zh_CN.catalog", "dbus-org.freedesktop.timedate1.service", "slices.target", "disk2 (2)", "greenbone-scapdata-sync.timer", "tlp.service", "parent.php", "npm-install-ci-test.md", "local-fs.target", "libc6-i386_2.30-0ubuntu2_amd64.info", "mux.py", "podman-auto-update.timer", "80-container-vz.link", "drkonqi-coredump-cleanup.service", "borgmatic-user.timer", "zfs-share.service", "npm-team.md", "samba.service", "iterator.js", "compare-build.js", "modules.pcimap", "systemd-machined.service", "99-default.preset", "SeTPKG", "vmware-vmblock-fuse.service", "epmd.socket", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "virtlxcd-ro.socket", "zfs-load-key.service", "npx.md", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "zfs-trim@.service", "INSNFS", "std", "plasma-xdg-desktop-portal-kde.service", "libc6-i386_2.7-10ubuntu3_amd64.url", "npm-shrinkwrap.md", "mdcheck_continue.service", "soft-reboot.target", "systemd.sr.catalog", "rfkill-block@.service", "fstab", "simplify.js", "tumblerd.service", "scope.md", "sbom-spdx.js", "epmd.service", "profile (2)", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "sort.js", "access.js", "multi-user.target", "nvidia", "fwupd.service", "auditd.service", "web-auth.js", "ostree-finalize-staged.path", "virtnwfilterd-admin.socket", "modules.pnpbiosmap", "filter-chain.service", "ipmidetectd.service", "display.js", "split.py", "payload.php.005", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "PROMPThelp", "help-search.js", "systemd.be.catalog", "dbus-org.freedesktop.login1.service", "sleep.target", "cpupower.service", "gpg-agent@etc-pacman.d-gnupg.socket", "lynis.timer", "node-which", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "otplease.js", "hv_fcopy_daemon.service", "drecurse (2).py", ".X1024-lock", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "wireplumber@.service", "systemd-hostnamed.socket", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "exit-handler.js", "wpa_supplicant-nl80211@.service", "npmrc.md", "systemd-hibernate.service", "gpsdctl@.service", "virtinterfaced.service", "pamac-cleancache.service", "xplico.service", "modules.parportmap", "10-arch", "bluetooth.service", "parse-options.js", "folders.md", "libc6-i386_2.15-0ubuntu10_amd64.url", "systemd-sysupdate.timer", "sigpwr.target", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "NetworkManager.service", "logrotate.timer", "ananicy-cpp.service", "systemd-ask-password-wall.service", "xl2tpd.service", "makedevs.sh", "nohang.service", "guac-web.service", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "replace-info.js", "minor.js", "systemd.hr.catalog", "styles.css", "final.target", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "payload.php.006", "diff.js", "keyboxd.service", "list_idx.py", "libc6-i386_2.24-11+deb9u4_amd64.info", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "plasma-krunner.service", "compare.js", "libc6-i386_2.27-3ubuntu1_amd64.info", "systemd-network-generator.service", "libc6-i386_2.29-0ubuntu2_amd64.info", "a1676298638", "sshd.service", "link.js", "payload.php.014", "single.php", "nvmefc-boot-connections.service", "closemachine.rc", "npm-whoami.md", "rc.inet1", "nvidia-persistenced.service", "valid.js", "20-systemd-ssh-proxy.conf", "npm-find-dupes.md", "plasma-baloorunner.service", "flatpak-session-helper.service", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "reverse_tcp.py", "npm-config.md", "cups.path", "20-systemd-userdb.conf", "zfs-volumes.target", "docker.service", "rwhod.service", "payload.php.011", "libvirtd-admin.socket", "reader.php", "gpm.path", "ibft-rule-generator", "systemd-initctl.socket", "npm-sbom.md", "npm-usage.js", "libc6-i386_2.30-4_amd64.symbols", "empty.exe", "update.js", ".X0-lock", "npm-logout.md", "zfs-import.target", "clamav-daemon.service", "nfsv4-exportd.service", "systemd-pcrlock-file-system.service", "lt.js", "container-getty@.service", "archlinux-keyring-wkd-sync.timer", "setdb.php.001", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "systemd-bootctl@.service", "libc6-i386_2.17-93ubuntu4_amd64.url", "systemd-journal-gatewayd.service", "systemd-hibernate-resume.service", "pkgfile-update.service", "usb_modeswitch@.service", "logrotate.service", "npm-org.md", "ostree-remount.service", "rdnssd@.service", "dbus-org.freedesktop.import1.service", "plymouth-read-write.service", "npm-init.md", "npm-rebuild.md", "npm-version.md", "dhcpd4.service", "lxc@.service", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "greenbone-certdata-sync.service", "re.js", "mariadb-extra@.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "npmrc", "colord-session.service", "zfs-scrub@.service", "borgmatic.timer", "systemd-poweroff.service", "apt_sandworm_exim_expl.yar", "shadow.timer", "publish.js", "graphical-session-pre.target", "inittab (2)", "virtstoraged.socket", "npm-stars.md", "virtqemud.service", "gvfs-metadata.service", "neq.js", "dmraid.service", "connect.php.001", "runlevel6.target", "midx.py", "quotaon.service", "rlogin@.service", "vboxdrmclient.service", "libc6-i386_2.28-10_amd64.symbols", "libc6-i386_2.19-18+deb8u10_amd64.info", "lte.js", "plasma-kded6.service", "prune_older.py", "edit.js", "npm-ls.md", "systemd-journald-audit.socket", "systemd-boot-update.service", "constants.js", "systemd-zram-setup@.service", "graphical-session.target", "fsck.ext3", "first-boot-complete.target", "10-root.conf", "libc6-i386_2.17-93ubuntu4_amd64.info", "owner.js", "libc6-i386_2.9-4ubuntu6_amd64.url", "elasticsearch-keystore@.service", "freeradius.service", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "INShd (2)", "systemd-journal-remote.socket", ".X1-lock", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "sys-kernel-tracing.mount", "rc.ieee1394", "pacrunner.service", "sensord.service", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "libvirtd-ro.socket", "apt_sandworm_exim_expl.yar.001", "ssh-agent.service", "plasma-core.target", "zfs-trim-monthly@.timer", "84-nm-drivers.rules", "89-ethernet.network.example", "netavark-dhcp-proxy.service", "tree.py", "run-script.js", "virtlxcd.service", "plasma-ksmserver.service", "poweroff.target", "rescan-scsi-bus", "empty (2)", "var-lib-machines.mount", "virtlockd.service", "50-zfs.preset", "swap.target", "sudo_logsrvd.service", "hybrid-sleep.target", "systemd-rfkill.socket", "payload.php.002", "fsck (2).ext2", "libc6-i386_2.9-4ubuntu6_amd64.info", "xstat (2).py", "upower.service", "stunnel.service", "memtest.py", "10-defaults.conf", "b.txt:ads.txt", "systemd-sysusers.service", "npm-pkg.md", "migrate.sh", "npm-audit.md", "stage2", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "modules.dep", "nopartHELP (2)", "dunst.service", "npm-outdated.md", "wpa_supplicant@.service", "services", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "explain-dep.js", "libnm.la", "vboxservice.service", "proc-sys-fs-binfmt_misc.automount", "veritysetup-pre.target", "resolv.conf", "betterlockscreen@.service", "xfce4-notifyd.service", "plasma-workspace-x11.target", "npm-shrinkwrap-json.md", "virtsecretd.socket", "adb.service", "umount.target", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "ll.js", "passwd", "libc6-i386_2.13-20ubuntu5_amd64.url", "systemd-boot-check-no-failures.service", "nfsdcld.service", "plasma-powerprofile-osd.service", "systemd-coredump.socket", "filesize", "plasma-kded.service", "setup (2)", "nvmf-connect-nbft.service", "capsule@.service", "halt.target", "libvirtd.service", "zfs-volume-wait.service", "package-spec.md", "zfs.target", "systemd-journald-varlink@.socket", "systemd-networkd.socket", "virtlogd.service", "mdcheck_continue.timer", "virtqemud-ro.socket", "stop.js", "gvfs-udisks2-volume-monitor.service", "httpd.service", "runlevel2.target", "import_duplicity.py", "removepkg", "rathole@.service", "dm-event.service", "systemd-journald.service", "random.py", "reify-output.js", "virtnwfilterd.socket", "90-systemd.preset", "alsa-state.service", "stdcrt (2)", "INShd", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "clamav-freshclam-once.service", "mysql.service", "libyara.la", "systemd-growfs@.service", "vfs.py", "runlevel4.target", "config.md", "partimaged.service", "nvidia-suspend.service", "remote-cryptsetup.target", "rc.S", "sendcmd.rc", "test.js", "expl_cve_2021_40444.yar", "libc6-i386_2.26-0ubuntu2_amd64.url", "clamav-unofficial-sigs.timer", "finger.socket", "find-dupes.js", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "cronie.service", "hosts (2)", "audit-rules.service", "cfdisk (2)", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "systemd-remount-fs.service", "payload.php.013", "tag.py", "std (2)", "libc6-i386_2.24-11+deb9u4_amd64.url", "SeTswap", "features.py", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "plasma-restoresession.service", "stage2 (2)", "qemu-guest-agent.service", "services (2)", "nfs-mountd.service", "keyboxd.socket", "version.py", "get.py", "factory-reset.target", "clash.service", "zfs-trim-weekly@.timer", "ctrl-alt-del.target", "bolt.service", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "getPerms.php", "flatpak-system-helper.service", "rpcbind.socket", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "kcptun@.service", "rsyncd@.service", "mtab", "openmachine.rc", "virtlogd-admin.socket", "uuidd.service", "profile.js", "git-daemon.socket", "isnsd.socket", "termcap (2)", "initrd-fs.target", "systemd-suspend.service", "installed-package-contents", "systemd-kexec.service", "memavaild.service", "init.js", "lm_sensors.service", "drkonqi-coredump-launcher@.service", "whoami.js", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "dbus-broker-launch.catalog", "pcscd.service", "npm-owner.md", "initrd.target", "capsule@.target", "gpsd.socket", "teamd@.service", "nm-cloud-setup.service", "virtvboxd.socket", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "removal.md", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "plymouth-start.service", "quotaon@.service", "systemd-binfmt.service", "runlevel3.target", "hv_vss_daemon.service", "sslh-select.service", "nm-pppd-plugin.la", "ssh.py", "systemd-quotacheck.service", "ModemManager.service", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "thunar.service", "packagekit.service", "drecurse.py", "sddm.service", "mdadm-last-resort@.service", "libc6-i386_2.28-0ubuntu1_amd64.url", "lastlog2-import.service", "virtnwfilterd-ro.socket", "SeTnopart", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "apache-tika.service", "reboot.target", "atftpd.service", "cxl-monitor.service", "gte.js", "plasma-gmenudbusmenuproxy.service", "lvm2-monitor.service", "mysqld.service", "mongodb.service", "SeTswap (2)", "libnm-device-plugin-bluetooth.la", "systemd.pl.catalog", "virtlxcd.socket", "read-user-info.js", "lorem.txt", "completion.sh", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "git-daemon@.service", "zfs-scrub-weekly@.timer", "min-version.js", "systemd.zh_TW.catalog", "systemd-creds.socket", "format-search-stream.js", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "rescue.service", "org.js", "stdcrt", "zfs-import-scan.service", "initrd-switch-root.target", "systemd-update-done.service", "smartd.service", "paccache.service", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "explore.js", "systemd-sysext.socket", "token.js", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "securetty", "p11-kit-server.service", "INSCD (2)", "krb5-kpropd.service", "systemd-oomd.service", "runlevel5.target", "pkgtool", "tpm2.target", "fsidd.service", "SeTmaketag (2)", "iscsiuio.socket", "issue", "ndctl-monitor.service", "SeTfull (2)", "INSCD", "update-workspaces.js", "telnet@.service", "rpc_pipefs.target", "npm-restart.md", "archlinux-keyring-wkd-sync.service", "iptables.service", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "nscd.service", "SeTconfig", "ostree-finalize-staged.service", "dnsmasq.service", "usbipd.service", "b529967783", "greenbone-nvt-sync.service", "b3336837578", "80-container-vb.network", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "plasma-workspace.target", "hlinkdb.py", "daemon.py", "keyboxd@.service", "hashsplit.py", "reify-finish.js", "reflector.service", "unmigrate.sh", "vboxdrmclient.path", "background.slice", "libnm-device-plugin-adsl.la", "geoclue.service", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "virtlxcd-admin.socket", "plasma-kcminit-phase1.service", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "SeTconfig (2)", "storage-target-mode.target", "SeTDOS (2)", "lvm2-lvmpolld.socket", "libnm-device-plugin-team.la", "rsh.socket", "ls.js", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "npm-ci.md", "clash@.service", "hostapd.service", "libc6-i386_2.26-0ubuntu2.1_amd64.url", ".X1025-lock", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "nfs-utils.service", "dbus-org.freedesktop.locale1.service", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "xdg-desktop-autostart.target", "greenbone-certdata-sync.timer", "plymouth-halt.service", "coerce.js", "iscsi-init.service", "dialogrc", "npm-install-test.md", "gssuserproxy.service", "dhclient@.service", "virtproxyd.service", "sockets.target", "npm-hook.md", "obexstress", "package-json.md", "iwd.service", "SeTPKG (2)", "dhcpd6.service", "systemd-networkd-wait-online@.service", "systemd-tmpfiles-clean.service", "systemd-backlight@.service", "60-flatpak-system-only", "slackinstall (2)", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "80-container-host0.network", "fwupd-refresh.timer", "machine.slice", "zfs-scrub-monthly@.timer", "systemd-tmpfiles-setup-dev.service", "fuse.py", "gc (2).py", "greenbone-feed-sync.timer", "crypto-miner.js", "itl-logo (2).txt", "bugs.js", "setdb.php", "dirmngr.service", "npm-adduser.md", "motd (2)", "package-url-cmd.js", "sbom.js", "group", "ras-mc-ctl.service", "systemd-ask-password-plymouth.path", "systemd-hybrid-sleep.service", "debug-shell.service", "kde-baloo.service", "plasma-polkit-agent.service", "itl-logo.txt", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "avahi-daemon.service", "vt300 (2)", "podman.socket", "krb5-kpropd.socket", "npm-doctor.md", "prune.js", "xdg-permission-store.service", "hostapd@.service", "openvpn-server@.service", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "xdg-desktop-portal.service", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "p11-kit-server.socket", "README (2)", "libc6-i386_2.28-10_amd64.url", "modules.usbmap", "get-workspaces.js", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "polkit.service", "dependency-selectors.md", "ldd", "systemd-hostnamed.service", "xsettingsd.service", "virtsecretd.service", "SeTmedia (2)", "login (2).defs", "gnome-keyring-daemon.service", "ppp@.service", "SeTkeymap", "hosts", "systemd-journald@.socket", "expl_cve_2021_40444.yar.002", "no_ads.txt", "lxdm.service", "pamac-cleancache.timer", "virtproxyd-admin.socket", "payload.php.009", "updatedb.service", "systemd-quotacheck-root.service", "plymouth-quit.service", "dedupe.js", "50-rc_keymap.conf", "virtlogd.socket", "80-container-vb.link", "gpg-agent@.socket", "passim.service", "cups-lpd.socket", "libnm-wwan.la", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "systemd-udev-trigger.service", "cape-rooter.service", "gpg-agent-ssh@.socket", "clamav-unofficial-sigs.service", "phoromatic-client.service", "vmtoolsd.service", "shquote.py", "probe (2)", "margin.py", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "npm-docs.md", "configure-printer@.service", "libnm-device-plugin-wifi.la", "blk-availability.service", "lynis.service", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "virtinterfaced-admin.socket", "systemd-pcrlock-firmware-code.service", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "machines.target", "nvidia-powerd.service", "e2scrub_all.timer", "systemd-battery-check.service", "rtkit-daemon.service", "format-bytes.js", "rc-local.service", "npm-search.md", "libc6-i386_2.23-0ubuntu11_amd64.url", "virtsecretd-admin.socket", "npm-repo.md", "daxdev-reconfigure@.service", "getty@.service", "systemd-time-wait-sync.service", "nfs-server.service", "drkonqi-coredump-processor@.service", "sys-fs-fuse-connections.mount", "INSfd (2)", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "yallist.js", "systemd-ask-password-console.path", "libc6-i386_2.4-1ubuntu12.3_amd64.info", "time-sync.target", "libc6-i386_2.19-18+deb8u10_amd64.symbols", "prerelease.js", "pkgfile-update.timer", "libc6-i386_2.27-3ubuntu1_amd64.url", "systemd-importd.service", "main.py", "mariadb@.service", "couchdb.service", "neo4j.service", "virtnodedevd.socket", "cups.socket", "virtqemud-admin.socket", "mdcheck_start.service", "gnupg-pkcs11-scd-proxy.service", "xstat.py", "logging.md", "updatedb.timer", "deprecate.js", "xfs_scrub_fail@.service", "systemd-journald.socket", "systemd-tmpfiles-clean.timer", "systemd-pcrlock-secureboot-authority.service", "virtinterfaced-ro.socket", "plasma-kscreen.service", "slapd.service", "e2scrub_fail@.service", "virtnetworkd.service", "__init__.py", "version.js", "libc6-i386_2.17-0ubuntu5_amd64.url", "io.py", "flatpak-oci-authenticator.service", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "hibernate.target", "libc6-i386_2.19-10ubuntu2_amd64.info", "telnet.socket", "adduser.js", "base-command.js", "e2scrub_all.service", "systemd-homed-activate.service", "privoxy.service", "virtlockd-admin.socket", "rfkill-unblock@.service", "e2scrub@.service", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "opensnitchd.service", "pcmcia", "unbound.service", "payload.php.012", "snort@1000.service", "kingdee-erp-rce.yaml", "mkdirp", "SeTfdHELP", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "comparator.js", "smb.service", "star.js", "svnserve.service", "cups.service", "30-root-verity-sig.conf", "talk.socket", "90-nm-thunderbolt.rules", "libnm-device-plugin-ovs.la", "gpg-agent.socket", "sslh-fork.service", ".zcompdump", "systemd-sysupdate-reboot.timer", "systemd.bg.catalog", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "virtstoraged-ro.socket", "keyboxd@.socket", "initrd-usr-fs.target", "npm-profile.md", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "npm-help.md", "libcrypto.pc", "package-lock-json.md", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "podman-clean-transient.service", "npm-star.md", "udisks2.service", "midx (2).py", "virtnwfilterd.service", "printer.target", "npm-start.md", "systemd-pcrextend.socket", "completion.js", "libc6-i386_2.31-0ubuntu6_amd64.info", "tick.py", "nsswitch (2).conf", "notes.txt:ads", "plasma-workspace-wayland.target", "damage.py", "shells (2)", "fsck (2).ext3", "systemd-sysctl.service", "elasticsearch.service", "libvirt-guests.service", "explain.js", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "var-lib-nfs-rpc_pipefs.mount", "desktop.ini", "user@.service", "libc6-i386_2.5-0ubuntu14_amd64.info", "80-vm-vt.link", "OpenSSLConfigVersion.cmake", "exit.target", "systemd-journald-dev-log.socket", "defaults.conf", "uksmd.service", "shutdown.target", "npm-edit.md", "npm-explore.md", "SeTkernel", "libc6-i386_2.13-20ubuntu5_amd64.info", "rlogin.socket", "gssproxy.service", "elasticsearch-keystore.service", "sbom-cyclonedx.js", "getty-pre.target", "healthd.service", "unpublish.js", "dconf.service", ".zcompdump-m1904-5.9", "virt-guest-shutdown.target", "NetworkManager-wait-online.service", "rm.py", "xdg-document-portal.service", "systemd-machine-id-commit.service", "getty.target", "payload.php.003", "mdadm.shutdown", "installpkg", "99-default.link", "subset.js", "guacd.service", "borgmatic-user.service", "colord.service", "virtchd-admin.socket", "a4033901479", "semver.js", "basic.target", "system-update-pre.target", "ratholec@.service", "systemd.ko.catalog", "systemd-storagetm.service", "ly.service", "dbus.socket", "xdg-user-dirs-update.service", "systemd-volatile-root.service", "libc6-i386_2.23-0ubuntu10_amd64.url", "plasma-ksplash.service", "FDhelp (2)", "libc6-i386_2.23-0ubuntu11_amd64.info", "systemd.hu.catalog", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "runlevel0.target", "lxc-monitord.service", "80-iwd.link", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "systemd-rfkill.service", "restart.js", "fund.js", "systemd-coredump@.service", "SeTpasswd", "repo.py", "validate-lockfile.js", "rasdaemon.service", "rpc-statd.service", "libc6-i386_2.19-0ubuntu6_amd64.info", ".:ads.txt", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "payload.php.007", "checkout_info.py", "cpupower", "celery@.service", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "jack@.service", "min-satisfying.js", "virtchd.service", "systemd-creds@.service", "plasma-kscreen-osd.service", "nohang-desktop.service", "systemd-networkd-persistent-storage.service", "index.js", "update-notifier.js", "gcr-ssh-agent.socket", "libc6-i386_2.26-0ubuntu2_amd64.info", "arborist", "installed-deep.js", "libc6-i386_2.30-4_amd64.info", "rpc-gssd.service", "systemd-update-utmp-runlevel.service", "initrd-parse-etc.service", "plymouth-quit-wait.service", "systemd-homed.service", "wondershaper.service", "mdmon@.service", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "systemd-portabled.service", "nvmf-connect@.service", "fwupd.shutdown", "eicar", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "systemd.ru.catalog", "termcap", "debug.js", "libc6-i386_2.21-0ubuntu4_amd64.url", "cfdisk", "ead.service", "nvmf-autoconnect.service", "FDhelp", "workspaces.md", "nvidia-hibernate.service", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "systemd.be@latin.catalog", "registry.md", "team.js", "payload.php.015", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "ptunnel.service", "iscsid.service", "shadow", "borgmatic.service", "cmd-list.js", "kio-fuse.service", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "suricata-update.service", "chkboot.service", "libc6-i386_2.28-0ubuntu1_amd64.info", "payload.php.004", "clamav-daemon.socket", "plymouth-kexec.service", "gvfs-afc-volume-monitor.service", "mdcheck_start.timer", "uuidd.socket", "accounts-daemon.service", "apparmor.conf", "systemd-pcrlock-secureboot-policy.service", "greenbone-scapdata-sync.service", "wpa_supplicant-wired@.service", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "plasma-ksystemstats.service", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "payload.php.010", "krb5-kadmind.service", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "man-db.timer", "80-6rd-tunnel.link", "options.py", "systemd-sysext.service", "nss-lookup.target", "pipewire.socket", "libssl.pc", "drkonqi-coredump-cleanup.timer", "initrd-switch-root.service", "virtproxyd-ro.socket", "zfs-import-cache.service", "install.md", "connect.php.002", "wireplumber.service", "npm-link.md", "npm-stop.md", "gtr.js", "network.target", "cape-processor.service", "veritysetup.target", "libc6-i386_2.13-0ubuntu13_amd64.url", "payload.php", "scanner.php", "suspend-then-hibernate.target", "pipewire-pulse.socket", "compat.py", "login.js", "config.js", "brc (2)", "plymouth.conf", "cape.service", "dev-hugepages.mount", "libc6-i386_2.5-0ubuntu14_amd64.url", "systemd-pcrlock@.service", "npm-help-search.md", "xfs_scrub_all.timer", "audit.js", "85-nm-unmanaged.rules", "emergency.service", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "plasma-xembedsniproxy.service", "SeTpartitions", "emergency.target", "cat_file.py", "systemd-quotacheck@.service", "plasma-kwallet-pam.service", "virtnodedevd-ro.socket", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "sndiod.service", "npm-query.md", "vint.py", "graphical.target", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "cntlm.service", "libc6-i386_2.19-0ubuntu6_amd64.url", "sound.target", "libc6-i386_2.17-0ubuntu5_amd64.info", "xrdp-sesman.service", "tlp", "systemd-bless-boot.service", "gpg-agent-browser.socket", "vt100 (3)", "nbd.service", "PROMPThelp (2)", "remote-veritysetup.target", "80-wifi-ap.network.example", "web.py", "gpg-agent-extra.socket", "iptables-flush", "autorandr-lid-listener.service", "systemd.fr.catalog", "orgs.md", "80-wifi-station.network.example", "modules.isapnpmap", "ltr.js", "issue (2)", "list.php", "npm-prefix.md", "install-test.js", "adsl.service", "connect.php", "template-WaR2X6", "systemd-logind.service", "pwdgrp.py", "kmod-static-nodes.service", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "pacote", "clean.js", "brc", "80-auto-link-local.network.example", "plasma-ksplash-ready.service", "systemd-update-helper", "logout.js", "audit-error.js", "empty", "libc6-i386_2.15-0ubuntu20_amd64.url", "major.js", "npm-bugs.md", "system-update.target", "log-shim.js", "libc6-i386_2.23-0ubuntu10_amd64.info", "npm-token.md", "npm-prune.md", "dev-mqueue.mount", "installed-shallow.js", "suricata-update.timer", "xfs_scrub@.service", "systemd-journal-remote.service", "version (2).py", "libc6-i386_2.23-0ubuntu3_amd64.url", "network-pre.target", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "ntpd.service", "pam_namespace.service", "x.jnlp", "fstrim.service", "package.json", "open-url-prompt.js", "postfix.service", "shells", "outside.js", "plymouth-poweroff.service", "systemd-tmpfiles-setup-dev-early.service", "timers.target", "vt300", "dbus-org.freedesktop.hostname1.service", "xrdp.service", "libc6-i386_2.13-0ubuntu13_amd64.info", "system-systemd\\x2dcryptsetup.slice", "systemd-udevd-control.socket", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "eicar.001", "gpg-agent-browser@.socket", "nftables.service", "plasma-kglobalaccel.service", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "npm-dist-tag.md", "ldconfig.service", "virtstoraged-admin.socket", "ostree-finalize-staged-hold.service", "zfs-mount.service", "ftp.py", "ostree-state-overlay@.service", "gvfs-gphoto2-volume-monitor.service", "geoipupdate.service", "drkonqi-coredump-launcher.socket", "plasma-kcminit.service", "SeTkeymap (2)", "wtmp", "local-fs-pre.target", "itl-logo (3).txt", "gpg-agent-ssh.socket", "rcompare.js", "systemd-suspend-then-hibernate.service", "LICENSE", "nmb.service", "client.py", "fwupd-offline-update.service", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations", "gt.js", "systemd-bootctl.socket", "proc-sys-fs-binfmt_misc.mount", "sunjava_map.xml", "set.js", "cryptsetup.target", "apparmor.service", "range.js", "ssh-access.target", "hook.js", "probe", "virtproxyd.socket", "validate-engines.js", "tinc@.service", "did-you-mean.js", "HOSTNAME", "stage2 (3)", "syslog (2).conf", "cape-dist.service", "SUSE-mdadm_env.sh", "plasma-kwin_wayland.service", "expl_cve_2021_40444.yar.001", "3proxy.conf", "fancontrol.service", "udp2raw@.service", "vpnc@.service", "virtnetworkd-admin.socket", "disk2", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "80-container-ve.link", "zgrep", "boot-complete.target", "apt_sandworm_exim_expl.yar.002", "cli.js", "mtools.conf", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "systemd-ask-password-wall.path", "quotaon-root.service", "redis-sentinel.service", "help.py", "systemd-localed.service", "proc-fs-nfsd.mount", "auth.js", "mkinitcpio-generate-shutdown-ramfs.service", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "virtlockd.socket", "bettercap.service", "parse.js", "systemd-vmspawn@.service", "tinc.service", "iodined.service", "postgresql.service", "zfs-import.service", "seatd.service", "vdecmd", "rpcbind.target", "yate.service", "libc6-i386_2.19-10ubuntu2_amd64.url", "ci.js", "ntpdate.service", "OpenSSLConfig.cmake", "systemd-update-utmp.service", "npm.js", "iodined.socket", "ls (2).py", "paccache.timer", "systemd-timedated.service", "libc6-i386_2.24-9ubuntu2_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "query.js", "iiod.service", "payload.php.017", "docs.js", "b.txt", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "view.js", "capsule.slice", "syslinux.cfg", "qrcode-terminal", "glob", "rm (2).py", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "virtchd-ro.socket", "gpm.service", "npm-access.md", "cmp.js", "phoromatic-server.service", "systemd.it.catalog", "initrd-root-device.target", "networks (2)", "chkboot-bootcheck", "get.js", "network-online.target", "bloom (2).py", "save.py", "nfs-blkmap.service", "lxc.service", "payload.php.008", "nopartHELP", "krb5-kpropd@.service", "create_ap.service", "systemd-pcrphase.service", "npm-pack.md", "systemd-journal-gatewayd.socket", "libc6-i386_2.30-4_amd64.url", "INSNFS (2)", "MozillaUpdateLock-7A4D7A8EFFB43502", "server.py", "nm-cloud-setup.timer", "color-support", "systemd-hwdb-update.service", "cli-entry.js", "systemd-pcrfs-root.service", "inittab", "helpers.py", "pamac-offline-upgrade.service", "systemd-pcrmachine.service", "gpg-agent-extra@.socket", "80-systemd-timesync.list", "install.js", "SeTnopart (2)", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "libc6-i386_2.23-0ubuntu3_amd64.info", "cape-web.service", "arch-audit.timer", "dbus.service", "pulseaudio.socket", "SeTkernel (2)", "ostree-boot-complete.service", "canberra-system-bootup.service", "plasma-dolphin.service", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "man-db.service", "SeTfull", "libc6-i386_2.28-10_amd64.info", "docker.socket", "eicar.002", "fdisk (2)", "netavark-dhcp-proxy.socket", "shrinkwrap.js", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "3proxy.service", "wg-quick.target", "bloom.py", "systemd.da.catalog", "host.conf", "plasma-kwin_x11.service", "exabgp.service", "virtchd.socket", "npm-login.md", "ostree-prepare-root.service", "podman.service", "npm-root.md", "source_info.py", "bluetooth.target", "npm-ping.md", "nm-priv-helper.service", "syslinux (2).cfg", "npm-publish.md", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "redis.service", "libc6-i386_2.19-18+deb8u10_amd64.url", "dirmngr.socket", "a.txt", "group (2)", "clamav-freshclam.service", "uninstall.js", "unmigrate (2).sh", "libc6-i386_2.24-3ubuntu1_amd64.url", "NetworkManager-ovs.conf", "avahi-daemon.socket", "podman-auto-update.service", "outdated.js", "libc6-i386_2.30-0ubuntu2_amd64.url", "custom.py", "SeTfdHELP (2)", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "on__server.py", "ufw.service", "wpa_supplicant.service", "systemd-vconsole-setup.service", "podman-restart.service", "systemd-pcrlock-machine-id.service", "index.py", "systemd-pcrfs@.service", "get-identity.js", "systemd-initctl.service", "drkonqi-coredump-pickup.service", "setup", "systemd-oomd.socket", "nbd@.service", "snort@.service", "xdg-desktop-portal-hyprland.service", "drkonqi-sentry-postman.timer", "systemd-pcrlock-make-policy.service", "libc6-i386_2.15-0ubuntu10_amd64.info", "system-systemd\\x2dveritysetup.slice", "bpftune.service", "error-message.js", "dnscrypt-proxy.service", "NetworkManager-dispatcher.service", "systemd-sysupdate.service", "iscsi.service", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "mdmonitor-oneshot.service", "cryptsetup-pre.target", "slackinstall", "Hunting_B64Engine_DotNetToJScript_Dos.yar", "SeTDOS", "libnm.pc", "nvidia-resume.service", "rpcbind.service", "80-ethernet.network.example", "payload.php.016", "pulseaudio-x11.service", "virtproxyd-tls.socket", "sys-kernel-config.mount", "tmp.mount", "pacman-filesdb-refresh.timer", "gpg-agent.service", "README.md", "cache.js", "shadow (2)", "libnm-device-plugin-wwan.la", "90-nm-cloud-setup.sh", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "user-runtime-dir@.service", "systemd-journal-catalog-update.service", "empty (3)", "at-spi-dbus-bus.service", "netdata.service", "mariadb@.socket", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "dirmngr@.service", "fluidsynth.service", "rc.usb", "open-url.js", "npm-unstar.md", "pacman-filesdb-refresh.service", "rsh@.service", "lightdm.service", "dbus-broker.catalog", "iscsid.socket", "systemd-exit.service", "systemd-firstboot.service", "talk.service", "virtvboxd-admin.socket", "systemd-pcrlock-firmware-config.service", "stars.js", "removepkg (2)", "systemd-ask-password-console.service", "dist-tag.js", "ls.py", "canberra-system-shutdown.service", "arcolinux-graphical-target.service", "clamav-freshclam-once.timer", "systemd-random-seed.service", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "iscsiuio.service", "npm-view.md", "payload.php.001", "search.php", "virtnetworkd-ro.socket", "pulse-till-done.js", "openvpn-client@.service", "dbus-broker.service", "nsswitch.conf", "virtinterfaced.socket", "plasma-powerdevil.service", "autorandr.service", "mdadm-grow-continue@.service", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "systemd-reboot.service", "auth-rpcgss-module.service", "mariadb.service", "time-set.target", "isnsd.service", "git.py", "exec.js", "xfs_scrub_all.service", "suricata.service", "glib-pacrunner.service", "empty.lock~", "systemd-udevd.service", "systemd-journald@.service", "securetty (2)", "named.service", "app.slice", "imurmurhash.min.js", "mariadb.socket", "ld.so (2).conf", "nss-user-lookup.target", "libc6-i386_2.15-0ubuntu20_amd64.info", "virtnodedevd-admin.socket", "help.js", "systemd-networkd-wait-online.service", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "fsck.py", "finger@.service", "libc6-i386_2.24-9ubuntu2_amd64.info", "INSfd", "plymouth-reboot.service", "kcptun-server@.service", "npm-completion.md", "libc6-i386_2.4-1ubuntu12_amd64.info", "explain-eresolve.js", "npm-dedupe.md", "gc.py", "lxc-net.service", "i2pd.service", "packagekit-offline-update.service", "HOSTNAME (2)", "nm-shared.xml", "phoronix-result-server.service", "host (2).conf", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "sys-kernel-debug.mount", "eq.js", "eicar.txt", "fstrim.timer", "preload.js", "systemd-journal-upload.service", "modules.generic_string", "mariadb-extra.socket", "dialogrc (2)", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "__init__ (2).py", "drkonqi-sentry-postman.path", "passwd (2)", "systemd-pcrextend@.service", "SeTmedia", "network", "installpkg (2)", "meta.py", "npm-test.md", "paths.target", "system-update-cleanup.service", "systemd-sysupdate-reboot.service", "smartcard.target", "README", "systemd-journal-flush.service", "80-container-vz.network", "motd", "session.slice", "prefix.js", "queryable.js", "celery2@.service", "btrfs-scrub@.timer", "mdmonitor-oneshot.timer", "ipmiseld.service", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "ping.js", "e2scrub_reap.service", "reflector.timer", "makedevs (2).sh", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "dirmngr@etc-pacman.d-gnupg.socket", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "remote-fs-pre.target", "join.py", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "root.js", "is-windows.js", "ratholes@.service", "asyncrecv.rc", "install-ci-test.js", "log-file.js", "systemd-pstore.service", "inc.js", "rebuild.js", "repo.js", "systemd-growfs-root.service", "keyboxd@etc-pacman.d-gnupg.socket", "80-vm-vt.network", "profile", "user.slice", "btrfs-scrub@.service", "fdisk", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "npm-diff.md", "openssl.pc", "virtproxyd-tcp.socket", "nfs-idmapd.service", "fwupd-refresh.service", "modprobe@.service", "virtqemud.socket", "avahi-dnsconfd.service", "virtvboxd.service", "ld.so.conf", "canberra-system-shutdown-reboot.service", "sshdgenkeys.service", "virtnodedevd.service", "systemd-pcrlock.socket", "systemd-tpm2-setup-early.service", "plymouth-switch-root-initramfs.service", "INSdir (2)", "wacom-inputattach@.service", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "xdg-desktop-portal-gtk.service", "start.js", "npm-unpublish.md", "path.py", "remote-fs.target", "virtsecretd-ro.socket", "10-login-barrier.conf", "libvirtd-tcp.socket", "notes.txt", "pcscd.socket", "snmpd.service", "mdadm-last-resort@.timer", "rsyncd.socket", "arborist-cmd.js", "systemd.catalog", "SeTpartitions (2)", "60-flatpak", "sslh.service", "systemd-udevd-kernel.socket", "systemd-timesyncd.service", "sysinit.target", "snmptrapd.service", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "80-wifi-adhoc.network", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "cape-fstab.service", "clamav-clamonacc.service", "containerd.service", "geoipupdate.timer", "krb5-kdc.service", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "systemd-confext.service", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "podman-kube@.service", "fstab (2)", "mtab (2)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Chinese Speaking" ], "malware_families": [ "Successaction", "Winbindoptions", "Nmbdoptions", "Smbdoptions", "Remainafterexit" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a16ac90f5b7cde86d323464", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:24.654000", "created": "2026-05-27T08:34:24.654000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16ac89787e428fe0f7b045", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:17.204000", "created": "2026-05-27T08:34:17.204000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6659ea571eab262a3942e77c", "name": "system.img - Unidentified Android Ext4 filesystem pulled from my machine", "description": "Honestly I can't recall where I fished this out of, but I had stashed it on a cloud storage drive for later exploitation, which is what this is. At current, I don't have the slightest clue what it is or what it was doing on my computer. But with majority of the */bin/ files coming back as symlinks to */bin/toybox I'm assuming it's nothing that'd enhance my day to day life for the better. Standby for further analysis. At current these are just the SHA256's of the filesystem itself.", "modified": "2024-05-31T15:18:47.112000", "created": "2024-05-31T15:18:47.112000", "tags": [ "mntdevfb0", "mntdevhda1", "mntdevhda3", "mntdevkmem", "mntdevmem", "mntdevmmcblk0p1", "mntdevmmcblk0p3", "mntdevmtd0", "mntdevmtd2", "mntdevmtd4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1991, "domain": 70 }, "indicator_count": 2063, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "731 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6605781ad51380e5b1c22815", "name": "haul from the last two weeks of wrangling - presumed malware and IOC's found on my personal devices", "description": "nearing the two year mark of the first initial attack - unfortunately OTX was only able to pull domains from the large majority of files uploaded which seems to be a built in anti-debug feature and goes with the theme and \"look & feel\" of this latest iteration being that most of them were somehow someway remote and acting as a net file system on my machine", "modified": "2024-04-27T02:04:29.606000", "created": "2024-03-28T14:00:58.809000", "tags": [ "dddf", "target", "dddj", "path", "base o", "base", "backupfile", "base rw", "exit", "date", "hell", "gnu libtool", "please do", "linker", "lsmime3 lnss3", "lplc4 lnspr4", "ludev", "directory", "lmagic ljansson", "feugiat", "lorem ipsum", "nulla facilisi", "malesuada", "etiam tempor", "suspendisse", "consectetur", "bibendum", "amet", "eget aliquet", "basesectors", "date echo", "default", "label", "kernel", "append rhgb", "clsid", "systemroot", "webbrowser", "ispell", "imagemagick", "flex", "zle c", "whois", "locate", "rubber", "chown", "ruby", "ninja", "pacman", "restart", "kill", "django", "mark", "repl", "service", "term", "mkdir", "borg", "black", "conan", "dolphin", "dotnet", "hello", "john", "generic", "find", "shutdown", "mozilla", "first", "subsystem", "action", "goto", "load", "devtype", "idnetdriver", "drivers", "program", "interface", "nmunmanaged", "ethernet", "mac prefix", "attr", "virtualbox host", "mac address", "interface name", "hello world", "unit", "timer", "onbootsec5min", "install", "wait online", "networkmanager", "edit", "note", "typeoneshot", "cloud", "optin", "helper", "for testing", "only", "restrict", "grant", "enable debug", "trace", "killmodeprocess", "typedbus", "reload", "capdacoverride", "dhcp etc", "include", "yara", "cflags", "libs", "xxx remove", "the author", "this software", "isc license", "copyright", "schlueter", "permission", "software is", "provided", "as is", "disclaims all", "direct", "require", "semver", "comparator", "range", "releasetypes", "simple", "tilde", "09azaz", "prerelease", "same", "beta", "semverrangesgtr", "semverrangesltr", "coerce version", "ranges", "alpha", "standalone", "exits", "null", "false", "reverse", "compare", "a javascript", "copyright isaac", "typeerror", "maxsafeinteger", "maxlength", "break", "error", "number", "drop", "same direction", "symbol", "comp", "const", "caret", "flagloose", "xrange", "parse", "identifier", "object", "match", "string", "walk", "manually", "stop", "highhaspre", "major", "minor", "patch", "istanbul", "preminor", "index", "regexp", "build metadata", "meaning", "replace", "token", "zero", "star", "infinity", "return", "a cache", "build status", "coverage status", "the same", "options", "before", "lrulist", "cache", "length", "dispose", "maxage", "allowstale", "nodisposeonset", "yallist", "node", "array", "head", "function", "tail", "start", "insert", "just", "node object", "barbar", "array method", "default export", "any comparator", "complex range", "simple range", "c1 c2", "outer", "every simple", "ecomp", "must", "clone", "case", "ignore", "setmin", "determine", "version", "typeof", "contribute", "status", "node package", "manager", "benchmark suite", "installation", "direct download", "ql https", "node version", "usage", "project", "calendar", "package", "source", "license", "source form", "perl foundation", "distributor fee", "distribute", "standard", "neither", "module", "basecommand", "lifecyclecmd", "base command", "pacote", "browser", "workspace", "pkgname", "await", "boolean", "base class", "wrapwidth", "chalk", "command", "config", "npmcliconfig", "logfile", "timers", "display", "location", "audit", "arboristcmd", "arborist", "global", "whoami", "async", "json", "view", "pref", "pckmnt", "resolve", "utf8", "libnpmversion", "unstar", "update", "save", "omit", "packagelock", "dryrun", "force", "libnpmaccess", "spec", "uninstall", "todo", "enoent", "enotdir", "test", "scriptshell", "scope", "team", "create", "user", "libnpmteam", "destroy", "table", "list", "cidr", "stars", "eneedauth", "shrinkwrap", "rename", "npmcliarborist", "value", "unicode", "sbom", "cyclonedx", "build", "sbomformats", "response", "software bill", "look", "script", "runscript", "indent", "root", "minipass", "search", "pipeline", "filterstream", "libnpmsearch", "long", "grab", "packageurlcmd", "repo", "info", "repo const", "rebuild", "reifycmd", "publish", "libnpmpack", "npmclirunscript", "prune", "remove", "prefix", "args", "queryable", "packagejson", "pong", "cleanurl", "registry", "pack", "load tarball", "noise", "query", "edge", "etarget", "e403", "e404", "outdated", "homepage", "developer", "admin", "owner", "libnpmorg", "npmfetch", "logout", "getauth", "invalid", "parent", "depth", "type", "filteredby", "dedupe", "problems", "login", "link", "util", "installcitest", "runs", "prop", "password", "profile", "mode", "email", "twitter", "hook", "libnpmhook", "init", "wpath", "installtest", "complete", "globaltop", "help", "viewer", "glob", "pattern", "file", "globify", "explore", "shell", "handle", "fund", "which", "fundingsource", "archy", "explain", "helpsearch", "text", "part", "editor", "editor const", "childprocess", "check", "nodemodules", "docs", "promisify", "doctor", "cacache", "mask", "win32", "disttag", "packagespec", "semver range", "delete", "diff", "workspacepath", "actualtree", "libnpmdiff", "deprecate", "message", "write", "clean", "spawn", "compline", "comppoint", "compcword", "epipe", "completion", "compfish", "os x", "bugs", "report", "adduser", "exec", "libnpmexec", "localprefix", "runpath", "skip", "public key", "npmauditreport", "access", "item", "finddupes", "syntaxerror", "getcli", "eventemitter", "abort", "ssri", "columnify", "bundled", "tarball details", "sha1", "daily", "latest", "check daily", "weekly", "cyclonedxschema", "cyclonedxformat", "proppath", "propbundled", "propdevelopment", "propextraneous", "propprivate", "refvcs", "refwebsite", "crypto", "readpassword", "readusername", "reademail", "enter", "enter otp", "otpprompt", "afaf09", "passwordprompt", "auditerror", "getfundinginfo", "json output", "data", "append", "maybeindex", "ontimeend", "name", "returns", "noassertion", "spdxidentifer", "spdxdatalicense", "reldescribes", "reldep", "reftypepurl", "spdxid", "eotp", "e401", "setinterval", "npmlog", "proclog", "maxlogsperfile", "fsminipass", "open", "colmax", "colmin", "colgutter", "quick help", "convert", "b return", "mb return", "gb return", "sigint", "readline", "prompt", "promise", "eresolve error", "overridden", "peer", "extraneous", "optional", "isworkspace", "maxlen", "code", "unfinished", "notice", "isshellout", "matcherrorcode", "devnull", "npmcompletion", "compwords", "compreply", "o default", "f npmcompletion", "ifs compadd", "fish shell", "l cmd", "taken", "comp stuff", "lx compline", "abbrev", "please", "enyi", "json version", "cygwin", "c1 control", "numbers", "x09 x0a", "10000", "nodemodulesnpm", "builtin", "npmrc", "notsup", "notarget", "nospc", "rofs", "author", "npmclifs", "minimatch", "pathtofoo", "relative", "synopsis", "description", "field", "person", "configuration", "whether", "premajor", "prepatch", "prevents", "run git", "upgrade", "examples", "will", "shareman", "cidr whitelist", "please refer", "tokenid", "eslint", "c eslint", "compatibility", "older", "versions", "nodeoptions", "details", "output", "example", "posix", "unstarring", "lcall", "starring", "lock", "materials", "spdx", "lodash", "nodeenv", "initcwd", "boolean set", "boolean tells", "windows", "unix", "selector", "use cases", "queries", "equivalent", "boolean show", "nocolor environ", "cli look", "boolean force", "dependency", "json object", "production", "files", "cicd system", "property", "change", "url opener", "basic auth", "allow", "description a", "removes", "semvermajor", "ping https", "ping http", "found", "get http", "example add", "json format", "handy", "display prefix", "g usrlocal", "mycorp", "associate", "deprecated", "libnodemodules", "caveat note", "workspace usage", "string override", "tarball", "githubrepo", "initializer", "usrfoo", "forwarding", "suppose", "commandsnpm", "hooks", "url endpoint", "browse", "consider", "ci environment", "string optional", "promzard", "top level", "expect", "javascript", "it staff", "https", "cli team", "ecmascript", "readme", "package current", "latest location", "depended", "git repos", "git dependency", "newest version", "modify package", "description add", "show", "purpose tags", "tags", "keyvalue", "16 16", "boolean ignore", "boolean do", "string source", "treat", "example make", "grep", "travis ci", "details npm", "localappdata", "tab completion", "bulk advisory", "sha256publickey", "endpoint", "quick audit", "set access", "that user", "scoped", "python", "description npm", "node javascript", "important npm", "introduction", "c code", "unix system", "integrity", "provide", "facilitate", "cli tool", "handling old", "lockfiles", "file format", "legacy", "urls", "spdx license", "most", "barney rubble", "specify", "github", "dependencies", "github urls", "node installer", "linux", "overview", "windows node", "prefixetcnpmrc", "variablename", "home", "comments", "peruser config", "global config", "builtin config", "auth", "cycles", "local install", "global install", "appdata", "below", "please note", "stage", "after", "life cycle", "runs after", "post scripts", "scripts", "slate", "synopsis so", "rf usrlocal", "modules", "with", "laf usrlocal", "l npm", "description all", "installing", "myorgmypackage", "requiring", "publishing", "private modules", "scopes", "apis", "auth related", "does", "package name", "aliases", "folders", "os equivalent", "tarballs", "teams", "orgs", "super admin", "team admins", "developer guide", "description so", "be explicit", "blank", "standard glob", "link packages", "syntax", "selectors", "querying", "log file", "location all", "log levels", "information", "headers", "logs", "alias", "certificate", "format", "docext", "content", "descriptions", "shorthands", "keyb", "print", "dir1", "manual", "input", "line", "process", "display help", "dirs", "get contents", "maxdepth", "contents", "u2665 bxe5r", "ud834udf06 baz", "single", "cssesc", "usage arborist", "commands", "options most", "npm install", "npm rm", "time", "silent", "fetch", "conf", "handler", "extract", "additional", "jackspeak", "jack", "glob v", "expand", "drive letter", "never", "true", "rob browning", "gnu library", "general", "public license", "license file", "future import", "adderror", "cdfq", "charles levert", "egrep", "egrepegrep", "fgrepfgrep", "grepgrep", "svr4 grepegrep", "times", "attributeerror", "fixcygwinid", "enhanced", "false try", "false assert", "tsns", "inetaddress", "none", "return value", "unixaddress", "localrepo", "httpserver", "valueerror", "resourcepath", "exception", "eoferror", "c version", "bytesio", "offset", "binary", "ascii", "baseversion", "commit", "throw", "in n", "send", "data end", "if 10", "copy", "send logoutn", "exitatoi", "tmplink", "lcallc binls", "varlogsetup rm", "sf tmp", "slackware", "system console", "entry", "ansi mode", "b007e", "slackware ftp", "cdrom", "miquel van", "smoorenburg", "okay", "minix", "fixme", "overwrite", "connect", "ssh connection", "subcmd", "bbupttywidth", "bupforcetty", "hashsplitter", "b options", "false def", "hack", "kbytesr", "srcpath", "tmptagfiles", "device", "tmpreply", "reply", "including", "but not", "quotesplit", "quoteerror", "not word", "split line", "mainselect", "tpxetcfstab", "select", "slackware linux", "varlogmount", "anything", "tmpswapmsg", "swappart", "ndir", "swaplist", "tmpsetswap", "linux swap", "swap space", "redir", "linux fdisk", "tmptmpscript", "eof fi", "instsets", "gnome", "tmpsetds", "tmpsetseries", "gnu emacs", "gnome desktop", "linux kernel", "k desktop", "uucp", "tmp fi", "tmpsettpx", "tpxetcshadow", "root password", "detected", "internet", "press", "linux native", "partitions", "tmpreturn", "nodes", "nextpartition", "rootdevice", "mtpt", "size", "formatting", "doformat", "main", "done", "sourcemedia", "tmpmedia", "source media", "selection", "slackware cd", "network file", "tmpsetreturn", "maketag", "choice", "mount", "tagext", "tmpsetnewtag", "tmpsettagmake", "sorry", "tmpsetkeymap", "mapname", "moorhead", "keyboard map", "us keyboard", "updown", "copying", "kernel chmod", "kernel rdev", "lilo", "fullerr", "tmpsettestfull", "partition full", "setup", "altf2", "slackware setup", "dospart", "newdir", "tmptempscript", "tmpsetdos", "partition", "ntfs", "doslist", "installscripts", "tpxproc", "atapi cd", "kerberos", "file transfer", "iana", "appletalk", "network", "control", "secure shell", "chat", "contact", "prospero", "outtag", "outshift", "if 30", "conn", "setmode", "dumb", "smart", "clienterror", "rather", "stopiteration", "firstexclusion", "appendcommit", "firstbranchitem", "filterbranch", "origtip", "oldnew", "remoterepo", "group", "prevpath", "sisdir import", "dangerous", "count", "subcount", "ioerror", "oserror", "gitmodetree", "gitmodefile", "gitmodesymlink", "stack", "nonlocal", "revision", "presdir", "admdirpackages", "warn", "tmprequiredlist", "trigger", "arch", "procscsiscsi", "luns", "scsi", "ax1b", "skript", "scsi bus", "kurt garloff", "gnu gpl", "ieee1394", "l found0", "nextrepoid", "repoid", "realpath", "usb keyboard", "d libmodules", "nousb", "procbususb a", "procbususb fi", "load input", "q input", "inet system", "hostname", "attach", "etcmotd", "newdisk", "scan", "slackkernel", "ram disk", "r sbp2", "r ieee1394", "firewire", "noieee1394", "q ieee1394", "attempt", "use f", "none def", "return password", "return none", "passwd", "nametopwdcache", "gidtogrpcache", "nametogrpcache", "tagfile", "prompt mode", "help software", "less", "removepkg", "gnu cc", "linux source", "pkgtool", "proccmdline", "termvt100", "termlinux", "homeroot lessmm", "ps1u", "home path", "display less", "term ps1", "kind", "branch", "period", "tmpsetfdisk", "minor elif", "smashedline", "l dev", "tmpsetfdisk fi", "probe", "mylex", "raid", "disksets", "packagedir", "blurb", "sourcedir", "tmptmpmsg", "tmptagfile", "media", "pcmcia", "umountcdrom", "o ro", "floppy", "pcmcia andor", "cardbus", "usedflopfalse", "libdir", "libdir exedir", "bcmd", "exedir", "openssl set", "packageversion", "versiongreater", "invert", "optdict", "intify", "limited to", "sockets layer", "argv", "normally", "shutwr", "sigexception", "demuxconn", "pipe import", "demultiplex", "openssl", "debug", "opensslversion", "static imported", "target openssl", "cmake", "shared imported", "fatalerror", "obex", "import", "stringio import", "obex service", "bdaddr channeln", "ascii character", "alength", "notfoundreturn", "use nis", "nis version", "name service", "switch config", "legal", "use dns", "domain name", "os2 boot", "os2 fdisk", "partition magic", "boot manager", "tcpip subsystem", "nfs install", "network support", "make", "sample file", "zip disk", "zip drive", "first scsi", "first ide", "atari", "solaris", "drive x", "zip100", "linkdir", "linkdir fi", "tmp directory", "asap", "linkdir tmp", "indexerror", "want", "midxversion", "wrapper", "multiple index", "filename", "desiredhwm", "domidx", "exitstack", "total", "option", "c option", "vmsize", "vmrss", "vmdata", "vmstk", "majflt", "september", "guess object", "longmatch", "raid device", "devrd", "devname", "concord", "applyerror", "metadata", "einval", "macos", "frozen", "fifo", "common code", "faildelay", "faillogenab", "logunkfailenab", "logoklogins", "lastlogenab", "mailcheckenab", "quotasenab", "syslogsuenab", "syslogsgenab", "console console", "ttywidth", "baseexception", "pythonpath", "pipe", "sigismember", "xdropaqueauth", "libcpvalloc", "rtld", "gnu c", "library", "free software", "foundation", "gnu lesser", "general public", "merchantability", "refs", "keyerror", "important", "carefully", "kwargs", "super", "true result", "priority", "pmsg", "crunch", "tmptempmsg", "localnetmask", "localipaddr", "upnrun", "ip address", "localgateway", "kversion", "eof dialog", "tmpmask", "localnetwork", "slackdevice", "fgrep", "ftp site", "tmpsetmount", "reboot machine", "tmpwhichdrv", "tmpsetmount cat", "select floppy", "drive", "tmptempmsg exit", "tmptempmsg mv", "tmpsourcedir", "drivefound", "cddvd", "rdir", "cddvd drive", "tmpsetcddev", "ide bus", "tmperrordo exit", "third", "login binsh", "l ttys0", "l ttys1", "x0 s", "reboot", "stuff", "bupdir", "iterhelper", "next", "none d", "indexhdr", "ixexists", "ixhashvalid", "ixshamissing", "indexsig", "entlen", "footersig", "tmpdir", "experimental", "bdupcache", "brestore", "bindex", "agulbra", "tcpip", "linux box", "hlinkdb", "verify", "maxpertree", "bupblobbits", "buptreeblobbits", "giterror", "mpicount", "bupnormal", "bupchunked", "refresh", "close", "dump", "dest", "commonargs", "ref dest", "pick", "btree", "missingobject", "bloom filter", "existingcount", "idxlivecount", "ram budget", "bupfs", "importerror", "fuse", "verbose", "fakemetadata", "fsdecode", "ptraceerror", "ptracesetregs", "cpu64bits", "ptraceattach", "ptracedetach", "ptracesyscall", "cpuwordsize", "runningbsd", "ext2", "proc proc", "commanderror", "optionerror", "lcctype", "iso88591", "localrepo repo", "sbine2fsck", "bfailed", "elif", "bcanary", "posix acls", "linux partition", "move", "pgdnspace", "olargefile", "onofollow", "xdev", "xdevxdev", "dirlist", "prepend", "cyan", "white", "blue", "dialog box", "yellow", "active button", "inactive button", "search box", "input box", "green", "excluderxs", "doit", "s seed", "this command", "is extremely", "dangerous n", "chunksize", "socket", "return hex", "supports python", "rethrow", "hostrs", "bnone", "bload", "branchpath", "snapshotroot", "snapshot", "tmpidx", "bashsource", "bashlineno", "int dryrun", "importing", "ux f", "sbinbrc", "eof binsync", "unmounting file", "devnull echo", "rest", "first assert", "existing", "restcount", "none path", "maxbloombits", "bloomversion", "maxbitseach", "discussion", "k4 k5", "k6 k7", "k8 k9", "rvatoi", "exitrv", "exit 1", "noblock", "sisdir", "sislnk", "writetree", "rawtreeitem", "splittreeitem", "metadataro", "meta", "builtmodulename", "dkms", "packagename", "autoinstall", "kernelrelease", "kbuild", "kerneluname", "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "later", "tls1", "fbtfr", "fbfr", "apache http", "fbefr", "fbhfr", "fbabfr", "http", "keepalive", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "getprocaddress", "access type", "ck id", "observed ja3", "mitre att", "show technique", "suspicious", "hybrid", "click", "delphi", "strings", "malicious", "february", "middle", "exploit", "gameover", "hybrid analysis", "api key", "vetting process", "ck matrix", "accept", "memoryfile scan", "invalid octet", "falcon sandbox", "tmpp59thrck", "informative", "name tactics" ], "references": [ "itl-logo.txt", "empty.exe", "libnm.la", "libyara.la", "sunjava_map.xml", "lorem.txt", "stage2", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "syslinux.cfg", "x.jnlp", "desktop.ini", "a.txt", "a.txt:ads.txt", "dir:ads.txt", "b.txt:ads.txt", "no_ads.txt", ".:ads.txt", "b.txt", "nm-shared.xml", ".zcompdump-m1904-5.9", ".zcompdump", "90-nm-thunderbolt.rules", "84-nm-drivers.rules", "85-nm-unmanaged.rules", "???? ????????.txt", "notes.txt", "notes.txt:ads", "nm-cloud-setup.timer", "NetworkManager-wait-online.service", "nm-cloud-setup.service", "nm-priv-helper.service", "NetworkManager-dispatcher.service", "NetworkManager.service", "NetworkManager-ovs.conf", "nm-pppd-plugin.la", "yara.pc", "libnm.pc", "preload.js", "LICENSE", "index.js", "range.bnf", "package.json", "README.md", "semver.js", "comparator.js", "range.js", "valid.js", "sort.js", "satisfies.js", "rsort.js", "rcompare.js", "prerelease.js", "patch.js", "neq.js", "minor.js", "major.js", "lt.js", "inc.js", "parse.js", "gt.js", "eq.js", "gte.js", "compare-loose.js", "compare.js", "clean.js", "cmp.js", "coerce.js", "compare-build.js", "diff.js", "lte.js", "parse-options.js", "identifiers.js", "debug.js", "constants.js", "re.js", "yallist.js", "iterator.js", "subset.js", "to-comparators.js", "outside.js", "min-version.js", "min-satisfying.js", "max-satisfying.js", "ltr.js", "simplify.js", "intersects.js", "gtr.js", "npmrc", "cli.js", "lifecycle-cmd.js", "cli-entry.js", "package-url-cmd.js", "base-command.js", "npm.js", "arborist-cmd.js", "whoami.js", "view.js", "version.js", "unstar.js", "update.js", "unpublish.js", "uninstall.js", "test.js", "team.js", "stop.js", "start.js", "token.js", "stars.js", "shrinkwrap.js", "set.js", "star.js", "sbom.js", "run-script.js", "root.js", "search.js", "repo.js", "restart.js", "rebuild.js", "publish.js", "prune.js", "prefix.js", "pkg.js", "ping.js", "pack.js", "query.js", "outdated.js", "org.js", "owner.js", "logout.js", "ls.js", "ll.js", "login.js", "link.js", "install-ci-test.js", "profile.js", "hook.js", "init.js", "install-test.js", "install.js", "help.js", "explore.js", "fund.js", "explain.js", "help-search.js", "get.js", "edit.js", "docs.js", "doctor.js", "dist-tag.js", "dedupe.js", "deprecate.js", "ci.js", "config.js", "completion.js", "bugs.js", "adduser.js", "exec.js", "audit.js", "access.js", "cache.js", "find-dupes.js", "validate-engines.js", "web-auth.js", "tar.js", "update-notifier.js", "sbom-cyclonedx.js", "replace-info.js", "read-user-info.js", "reify-output.js", "queryable.js", "timers.js", "validate-lockfile.js", "sbom-spdx.js", "otplease.js", "pulse-till-done.js", "log-shim.js", "log-file.js", "npm-usage.js", "get-identity.js", "format-bytes.js", "open-url-prompt.js", "explain-eresolve.js", "explain-dep.js", "exit-handler.js", "open-url.js", "did-you-mean.js", "completion.sh", "completion.fish", "cmd-list.js", "auth.js", "audit-error.js", "is-windows.js", "display.js", "reify-finish.js", "error-message.js", "format-search-stream.js", "installed-shallow.js", "installed-deep.js", "update-workspaces.js", "get-workspaces.js", "npm-view.md", "npm-version.md", "npm-uninstall.md", "npm-token.md", "npx.md", "npm-team.md", "npm-stop.md", "npm-unstar.md", "npm-start.md", "npm-star.md", "npm-test.md", "npm-shrinkwrap.md", "npm-stars.md", "npm-sbom.md", "npm-root.md", "npm-run-script.md", "npm-restart.md", "npm-rebuild.md", "npm-query.md", "npm-search.md", "npm-prune.md", "npm-publish.md", "npm-profile.md", "npm-repo.md", "npm-whoami.md", "npm-pkg.md", "npm-pack.md", "npm-ping.md", "npm-org.md", "npm-owner.md", "npm-prefix.md", "npm-login.md", "npm-logout.md", "npm-link.md", "npm-install-ci-test.md", "npm-install.md", "npm-init.md", "npm-update.md", "npm-help-search.md", "npm-hook.md", "npm-help.md", "npm-find-dupes.md", "npm-explore.md", "npm-unpublish.md", "npm-exec.md", "npm-ls.md", "npm-edit.md", "npm-doctor.md", "npm-fund.md", "npm-outdated.md", "npm-docs.md", "npm-dist-tag.md", "npm-config.md", "npm-diff.md", "npm-ci.md", "npm-cache.md", "npm-bugs.md", "npm-completion.md", "npm-audit.md", "npm-access.md", "npm.md", "npm-install-test.md", "npm-adduser.md", "npm-dedupe.md", "package-lock-json.md", "package-json.md", "npm-shrinkwrap-json.md", "install.md", "npmrc.md", "folders.md", "workspaces.md", "scripts.md", "removal.md", "scope.md", "registry.md", "package-spec.md", "orgs.md", "developers.md", "dependency-selectors.md", "logging.md", "config.md", "node-which", "mkdirp", "qrcode-terminal", "installed-package-contents", "cssesc", "color-support", "arborist", "pacote", "glob", "empty", "xstat (2).py", "zgrep", "xstat.py", "wtmp", "web.py", "vt300", "vt300 (2)", "vt100 (3)", "vt100", "vint.py", "version (2).py", "version.py", "vdecmd", "unmigrate (2).sh", "unmigrate.sh", "tick.py", "termcap (2)", "termcap", "tag.py", "syslinux (2).cfg", "syslog.conf", "syslog (2).conf", "styles.css", "stdcrt (2)", "std (2)", "stage2 (3)", "stage2 (2)", "std", "ssh.py", "source_info.py", "split.py", "slackinstall", "stdcrt", "shells", "shells (2)", "shquote.py", "shadow (2)", "shadow", "setup (2)", "SeTswap (2)", "SeTPKG (2)", "setup", "SeTswap", "SeTpasswd (2)", "SeTpasswd", "SeTnopart (2)", "SeTpartitions (2)", "SeTnopart", "SeTPKG", "SeTmedia (2)", "SeTpartitions", "SeTmedia", "SeTmaketag", "slackinstall (2)", "SeTkeymap (2)", "SeTmaketag (2)", "SeTkernel", "SeTfull (2)", "SeTkernel (2)", "SeTfull", "SeTfdHELP", "SeTfdHELP (2)", "SeTkeymap", "SeTDOS (2)", "SeTconfig (2)", "services (2)", "SeTDOS", "SeTconfig", "services", "sendcmd.rc", "securetty (2)", "securetty", "server.py", "rm.py", "restore.py", "rm (2).py", "save.py", "removepkg", "rescan-scsi-bus", "removepkg (2)", "README (2)", "README", "repo.py", "rc.usb", "rc.inet1", "rc.S", "rc.ieee1394", "random.py", "pwdgrp.py", "PROMPThelp (2)", "profile (2)", "prune_older.py", "profile", "probe (2)", "probe", "pkgtool", "pkgtool (2)", "pcmcia", "path.py", "passwd (2)", "passwd", "OpenSSLConfigVersion.cmake", "options.py", "PROMPThelp", "openssl.pc", "openmachine.rc", "on__server.py", "on.py", "OpenSSLConfig.cmake", "obexstress", "nsswitch (2).conf", "nsswitch.conf", "nopartHELP (2)", "nopartHELP", "networks (2)", "networks", "network", "mux.py", "mtools (2).conf", "mtools.conf", "mtab (2)", "mtab", "motd (2)", "motd", "modules.pcimap", "modules.pnpbiosmap", "modules.parportmap", "modules.usbmap", "modules.isapnpmap", "modules.ieee1394map", "modules.generic_string", "modules.dep", "migrate (2).sh", "migrate.sh", "midx.py", "midx (2).py", "meta.py", "memtest.py", "margin.py", "makedevs (2).sh", "makedevs.sh", "metadata.py", "ls (2).py", "ls.py", "login (2).defs", "main.py", "login.defs", "list_idx.py", "libssl.pc", "libnm-wwan.la", "libnm-ppp-plugin.la", "libnm-device-plugin-wwan.la", "libnm-device-plugin-wifi.la", "libnm-device-plugin-team.la", "libnm-device-plugin-bluetooth.la", "libnm-device-plugin-ovs.la", "libnm-device-plugin-adsl.la", "libcrypto.pc", "libc6-i386_2.31-0ubuntu6_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.info", "libc6-i386_2.30-4_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "libc6-i386_2.30-4_amd64.info", "libc6-i386_2.30-4_amd64.symbols", "libc6-i386_2.30-0ubuntu2_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.info", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "libc6-i386_2.29-0ubuntu2_amd64.url", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "libc6-i386_2.29-0ubuntu2_amd64.info", "libc6-i386_2.28-10_amd64.url", "libc6-i386_2.28-10_amd64.info", "libc6-i386_2.28-10_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.info", "libc6-i386_2.27-3ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.url", "libc6-i386_2.26-0ubuntu2_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.url", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "libc6-i386_2.24-11+deb9u4_amd64.url", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.url", "libc6-i386_2.24-9ubuntu2_amd64.info", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.url", "libc6-i386_2.23-0ubuntu11_amd64.url", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.info", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "libc6-i386_2.23-0ubuntu11_amd64.info", "libc6-i386_2.23-0ubuntu10_amd64.url", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "libc6-i386_2.23-0ubuntu10_amd64.info", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "libc6-i386_2.23-0ubuntu3_amd64.info", "libc6-i386_2.21-0ubuntu4_amd64.url", "libc6-i386_2.23-0ubuntu3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.info", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "libc6-i386_2.19-18+deb8u10_amd64.url", "libc6-i386_2.19-18+deb8u10_amd64.symbols", "libc6-i386_2.19-18+deb8u10_amd64.info", "libc6-i386_2.19-10ubuntu2_amd64.url", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "libc6-i386_2.19-10ubuntu2_amd64.info", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "libc6-i386_2.17-93ubuntu4_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.info", "libc6-i386_2.17-0ubuntu5_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "libc6-i386_2.17-0ubuntu5_amd64.info", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "libc6-i386_2.15-0ubuntu20_amd64.url", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "libc6-i386_2.15-0ubuntu10_amd64.info", "libc6-i386_2.15-0ubuntu10_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.info", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.url", "libc6-i386_2.13-20ubuntu5_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "libc6-i386_2.13-0ubuntu13_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.url", "libc6-i386_2.9-4ubuntu6_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "libc6-i386_2.7-10ubuntu3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.info", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.info", "libc6-i386_2.4-1ubuntu12_amd64.url", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "libc6-i386_2.4-1ubuntu12_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "libc6-i386_2.4-1ubuntu12.3_amd64.info", "libc6-i386_2.5-0ubuntu14_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "ldd", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "ld.so (2).conf", "ld.so.conf", "join.py", "itl-logo (3).txt", "itl-logo (2).txt", "issue", "issue (2)", "io.py", "installpkg", "INSNFS (2)", "installpkg (2)", "INSNFS", "INShd", "INShd (2)", "INSfd (2)", "INSfd", "INSdir (2)", "INSdir", "INSCD", "INSCD (2)", "inittab (2)", "inittab", "init.py", "__init__ (2).py", "__init__.py", "index (2).py", "index.py", "import_duplicity.py", "hosts (2)", "hosts", "host (2).conf", "host.conf", "HOSTNAME", "hlinkdb.py", "help.py", "helpers.py", "HOSTNAME (2)", "hashsplit.py", "group (2)", "group", "gc (2).py", "git.py", "get.py", "gc.py", "fuse.py", "func.py", "fstab (2)", "fstab", "ftp.py", "fsck (2).ext2", "fsck (2).ext3", "fsck.ext3", "fsck.ext2", "fsck.py", "filesize", "features.py", "fdisk (2)", "fdisk", "FDhelp (2)", "FDhelp", "empty (3)", "empty (2)", "drecurse.py", "dialogrc", "dialogrc (2)", "disk2 (2)", "drecurse (2).py", "disk2", "damage.py", "daemon.py", "compat.py", "closemachine.rc", "checkout_info.py", "cfdisk (2)", "client.py", "cfdisk", "cat_file.py", "bup-import-rsnapshot", "bup-import-rdiff-backup", "brc (2)", "brc", "bloom (2).py", "bloom.py", "asyncrecv.rc", "90-nm-cloud-setup.sh", "vfs.py", "tree.py", "template-WaR2X6", "a1676298638", "a4033901479", ".X1-lock", ".X0-lock", ".X1024-lock", "b3336837578", "MozillaUpdateLock-7A4D7A8EFFB43502", "imurmurhash.min.js", ".X1025-lock", "murmur2", "b529967783", "empty.lock~", "ab.1", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 297, "email": 8, "hostname": 204, "URL": 382, "FileHash-SHA1": 7, "CVE": 2, "FileHash-MD5": 45, "FileHash-SHA256": 5 }, "indicator_count": 950, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "765 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661db37bf549518bf6f7f377", "name": "Backup from 03-28-24 - Systemd dump, malicious ssh and sshd files, libsystemd-vore libsystemd-shared plus supporting php files", "description": "Ignoring the yara and eicar files - I was able to recover a partition use for backups from 03/25/24-03/29/24; the day of the XZ supply chain disclosure. This is a preliminary dump with accompanying analysis and sha1, and 256's of my /usr/lib/systemd directory which housed multiple suspect ssh sub directories plus malicous libsystemd-shared and libsystemd-core binaries, and all supporting config, dev, service, and binaries. Dig in.", "modified": "2024-04-23T14:28:30.317000", "created": "2024-04-15T23:08:43.746000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "network-pre.target", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "network-pre.target", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780349956.1153731 }