{ "type": "Domain", "indicator": "self.data", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/self.data", "alexa": "http://www.alexa.com/siteinfo/self.data", "indicator": "self.data", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2257104643, "indicator": "self.data", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "68c1a962edea5cd8c728d65c", "name": "AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks", "description": "AdaptixC2, an open-source post-exploitation and adversarial emulation framework, has been observed being used in real-world attacks. This versatile tool allows threat actors to execute commands, transfer files, and perform data exfiltration on compromised systems. Its open-source nature enables easy customization, making it highly flexible and dangerous. The framework supports sophisticated tunneling capabilities, modular design with extenders, and various beacon agent formats. Two infection scenarios were analyzed: one using social engineering via Microsoft Teams, and another likely involving AI-generated scripts. The increasing prevalence of AdaptixC2 in attacks, including its use alongside ransomware, highlights the growing trend of attackers leveraging customizable frameworks to evade detection.", "modified": "2025-09-10T19:40:56.835000", "created": "2025-09-10T16:37:54.837000", "tags": [ "data exfiltration", "c2 framework", "open-source", "adaptixc2", "tunneling", "ai-generated scripts", "foggyweb", "social engineering", "adversarial emulation", "post-exploitation" ], "references": [ "https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 7, "YARA": 3, "domain": 19, "hostname": 1 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386536, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb254f17eb4a2a990f07e5", "name": "LevelBlue - Open Threat Exchange", "description": "[ As part of security research, we look at some of the most well-known vulnerabilities in the PDF ecosystem, and how they can be identified and mitigated, with the help of a simple hash.] [64xxxx]", "modified": "2026-05-28T07:10:11.800000", "created": "2026-04-24T08:09:51.488000", "tags": [ "pdfkit", "cve202225765", "exploit script", "github", "unicordev", "cves", "xml external", "entity", "pdfs", "knowledge base", "python", "mozilla", "virustotal", "cisa", "apple", "microsoft", "pdfkit ruby", "remote code", "execution", "urls", "malware", "raid", "caddywiper", "wipes", "cve202543529", "webkit", "february", "cve202620643", "bypass", "march", "webkit bug", "command", "control", "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wipes", "display_name": "Wipes", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1084, "FileHash-SHA1": 874, "FileHash-SHA256": 3052, "CVE": 36, "domain": 437, "hostname": 1086, "URL": 1411, "CIDR": 15, "email": 13 }, "indicator_count": 8008, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2d9ce86a445b484593b", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:41.097000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c3b85fb851cfd05f932eda", "name": "AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks", "description": "", "modified": "2025-09-12T06:06:23.991000", "created": "2025-09-12T06:06:23.991000", "tags": [ "data exfiltration", "c2 framework", "open-source", "adaptixc2", "tunneling", "ai-generated scripts", "foggyweb", "social engineering", "adversarial emulation", "post-exploitation" ], "references": [ "https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "68c1a962edea5cd8c728d65c", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 7, "YARA": 3, "domain": 19, "hostname": 1 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "261 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6660c1268a1f430e17236b55", "name": "Python: OVSAgentServer Document (autofilled name)", "description": "Here is the full text of the Vuze-dht-info script, which is written by \"Patrik Karlsson\" and followed by the following:-1-2-3. (Autofilled). This was pulled from a Windows 11 Hidden Folder from UAlberta Sample Device.", "modified": "2024-07-24T20:04:38.074000", "created": "2024-06-05T19:48:54.286000", "tags": [ "vuze", "dht service", "force", "port", "port state", "service version", "transaction id", "connection id", "vendor id", "azureus", "methods", "function", "method", "performs", "uri path", "same", "nmap", "see https", "buffer", "http post", "xdmcp", "session id", "mitmagiccookie1", "authorization", "displayid", "x display", "su p", "service", "patrik karlsson", "x server", "code", "xopendisplay", "checks", "tcp port", "xhost", "list", "host", "null", "retrieves", "wsdiscovery", "framework", "message id", "device wprt", "patrik", "author", "example", "john foo", "athens", "attiki", "domain name", "attempts", "service reason", "support", "active", "error", "false", "t3 protocol", "extrainfo", "weblogicversion", "t3 rmi", "daniel miller", "weblogic", "note", "cvss score", "isc bind", "todo", "cvss", "cpes", "sv output", "limit cves", "dot com", "mark", "elem", "stripnull", "wind debug", "wind river", "systems vxworks", "debug service", "boot line", "wdbprocedure", "agent", "vulnerable", "metasploit", "target", "seqnum", "vtam", "logon", "tn3270", "applid", "ibmtest", "cics", "dominic white", "tn3270 screen", "folder", "soldier", "path", "screen", "server", "cluster", "name", "http port", "admin port", "voldemort", "persistence", "driver", "apple remote", "desktop", "sasl", "aten", "vnc auth", "tries", "vnc server", "libvncserver", "bypass", "tight auth", "security", "mac os", "x security", "daemon", "220 vmware", "pass", "connectionpool", "xmpp", "login", "plain", "jabber", "soap api", "server version", "build", "os type", "product line", "header", "queries", "vmware server", "esxi", "vasto", "this", "body", "problem", "xmlns", "dns name", "tigase", "registration", "tonumber", "mlink", "connects", "citadel", "inside", "administrator", "root path", "database path", "sat mar", "version", "extracts", "versant object", "databases", "urls", "sniffed", "require", "sniffs", "http traffic", "ip address", "script output", "interface", "controls", "upnp service", "thomas buchanan", "table", "thisdb", "iana", "string", "arin", "boolean true", "comp", "meta", "trim", "actions", "openssh", "postfix smtpd", "msrpc", "runs", "comm", "prot", "group", "head", "admin", "phan", "ventrilo udp", "totpck", "totlen", "win32", "ping", "raid", "formats", "idera uptime", "intel", "gets", "domain", "arch", "linux", "smp fri", "x8664 x8664", "gnulinux", "info", "tso user", "user id", "userid", "tso logon", "valid user", "data", "nse object", "fakeuser", "razor", "blade", "plague", "tlvvalue", "ubiquiti", "probev1", "bb i2", "probev2", "tom sellers", "hidden", "zzzzz", "ooooo ssss", "enter", "fortran", "user", "skipped", "zero", "cool", "final", "scriptname", "ticketbleed", "tls session", "high", "tls stack", "hello", "done", "tls npn", "connection", "tls server", "npn extension", "spdy4a4", "spdy3", "hani benhabiles", "alpnname", "tls alpn", "client hello", "alpndone end", "alpn protocol", "filenotfound", "requesterror", "filefound", "enumerates", "tftp", "cisco", "script", "unknown", "kml file", "google earth", "geolocation", "italy", "getvalue", "rtt address", "sweden", "activetelnet", "hosttest2", "negotiate", "ntlm", "ntlmssp message", "netbios", "dnsdomainname", "dnscomputername", "dnstreename", "teamspeak", "udp packet", "cowclans", "service info", "traceroute scan", "hops", "inserts", "nmap scanning", "henri doreau", "nmap xml", "attribute", "loads", "address type", "ipv4", "ipv6", "filename", "telnet server", "freebsd", "option", "determines", "exploit", "linux advisory", "telnet", "default", "nick nikolaou", "make", "status", "driver object", "verdict", "target object", "telnet host", "telnet port", "password", "usersegs", "prefijo", "tablapalabras", "direccion", "prefixaux", "userright", "ipv6bin", "filler", "first", "iface", "ipv6 address", "targetstr", "slaac", "ipv6 host", "icmpv6 router", "advertisement", "nd host", "ipv6 stateless", "david fifield", "cidr notation", "bond", "simplified", "bsd license", "srcmac", "sends", "icmpv6 packet", "weilin", "icmpv6 echo", "svn server", "username", "crammd5", "helper", "result", "ipaux", "ipv6user", "ipv6network", "grantotal", "ipv6 subnet", "ipv4sub", "sslv2", "matthew boyle", "stuxnet", "infected", "stuxnetpaths", "stuxnetuuid", "stuxnetversion", "rpcgetversion", "smb session", "stuxnet service", "stdnse", "check", "secure socket", "https layer", "sstp traffic", "current sstp", "seil", "snippet", "ipmi", "exploitable", "output file", "calderon", "openssl", "heartbleed bug", "eof receiving", "match", "fingerprintfile", "ssl certificate", "littleblackbox", "apt1", "specify", "drown", "cve20160800", "sslv2 protocol", "tls ciphertext", "cve20153197", "cve20160703", "rsa data", "rfc1918", "ssl service", "issuer", "x509v3", "reports", "x509v3 subject", "steve benson", "sslv3", "ccs injection", "timeout", "ccs packet", "ssltls mitm", "protocol", "sweet32 attack", "ciphersuite", "chunksize", "gethellotable", "broken cipher", "find", "compressor", "format", "certificate", "pem return", "public key", "pcall", "delaware", "san jose", "california", "paypal", "accepted public", "keys", "checking key", "found", "connect", "actionend end", "specifies", "devin bjelland", "sshv1", "ssh server", "ssh protocol", "brandon enright", "modp group", "dsa group", "length", "diffiehellman", "ffffffff", "fromhex", "c4c6628b", "f25f1437", "e485b576", "generator", "tls port", "tls host", "tls serverhello", "unix timestamp", "jacob appelbaum", "returns", "poodle", "tlsfallbackscsv", "cve20143566", "ssl poodle", "ssl protocol", "authentication", "authenticated", "output", "privatekeyfile", "passphrase", "command", "ssh2 server", "kris katterjohn", "key comparison", "shows ssh", "md5 fingerprint", "ascii art", "matches", "sven klemm", "piotr olma", "socks proxy", "socks version", "guest", "iusredusrv011", "iwamedusrv011", "support388945a0", "tomcat", "socks", "snmp v1", "jetdirect", "jd117", "cidate", "system uptime", "security update", "windows media", "player", "windows server", "apache tomcat", "domain names", "mitigation apis", "kb911564", "kb924667v2", "kb925398", "explorer", "db2copy1", "lookup service", "application", "cryptographic", "db2das", "db2das00", "apache", "dcom", "launcher", "webapps", "value", "windows shares", "system idle", "process", "users", "system", "mib oids", "huawei", "hph3c locally", "snmp", "enterprisenums", "snmpv3 server", "security model", "snmpv3 get", "enterprise", "snmp community", "nextcommunity", "argument", "add ipv6", "vikas singhal", "serveraddress", "tftp server", "copystatus", "cisco router", "snmp rw", "fail", "config", "layer", "channel", "rfc3635", "ieee", "mac address", "obsolete", "generic", "voice", "prop", "terminal", "team", "test", "request", "joao correa", "mail server", "smtp", "diman todorov", "cyrus sasl", "auth", "postfix smtp", "authvuln", "cve20111720", "digestmd5", "activesmtp", "ehlo", "per rfc", "tls connection", "continue", "smtp ntlm", "ethernet", "macosx", "marek majkowski", "tiger", "rcpt", "vrfy", "expn", "socket", "user name", "mail from", "rcpt to", "duarte silva", "windows", "ron bowes", "vista", "srvsvc function", "wireshark", "p u137", "help", "ntlm login", "arturo buanzo", "busleiman", "lf line", "extended", "turn", "dkim", "exim", "exim server", "mail", "cve20111764", "exim daemon", "dkim format", "exim smtp", "webexservice", "handle", "runcommand", "windows account", "open", "cve20104344", "cve20104345", "sendrecv", "debianexim", "exim version", "could", "remote code", "webexec", "doesnotexist", "patched", "microsoft", "case", "msrc8742", "u137", "t139", "index", "define", "smtp server", "i2 i2", "microsoft smbv1", "reserved", "eternalblue", "wannacry", "ipc tree", "windows xp", "print spooler", "vulnerability", "lanman api", "september", "printer spooler", "stuxnet worm", "shareddocs", "smb server", "xp sp2", "windows vista", "gold", "smb request", "smb packet", "bsod", "dns server", "ms07029", "rpc interface", "rpc service", "notup", "server service", "execution", "ras rpc", "ms06025", "remote access", "rras", "rras memory", "routing", "systemroot", "reggetvalue", "installdate", "csdversion", "currentversion", "identifier", "productname", "model", "smbv1", "nt lm", "smbv3", "smbv2", "groups", "builtin", "account lockout", "samr", "connect4", "enumdomains", "invite", "options", "subscribe", "sip server", "cancel", "refer", "notify", "option request", "entry", "message signing", "smb security", "lmv2", "ntlmv2", "ms08068", "cve20093103", "process id", "advisory", "smbv2 protocol", "vista gold", "high header", "loop", "address", "reply", "ttl64", "comment", "ms08067", "conficker", "printer", "text", "service rpc", "lanman", "later", "service pack", "fqdn", "standard", "computer name", "sql2008", "workgroup", "servertypes", "typenames", "mssql server", "time capsule", "backup browser", "dfs root", "master browser", "sql server", "settings", "inetpub", "size time", "normal user", "description", "close", "bind", "clean", "infected2", "scanner", "namewin32", "read", "current user", "type", "readwrite", "usercanwrite", "current", "default share", "stypeipchidden", "write", "trojan", "changeddate", "names", "sids", "servicepaused", "servicestopped", "servicerunning", "gateway service", "manager", "shadow copy", "provider", "remote desktop", "tools", "spooler", "id process", "bytessec", "operationssec", "bytes", "pid ppid", "daniel", "rids", "homegroupuser", "windows system", "aliases", "lists", "double pulsar", "smb backdoor", "pulsar smb", "backdoor", "b i2", "luke jennings", "valid", "hostinfo", "invalidpassword", "userlist", "userlistindex", "blank", "third", "windows smb", "smb2 protocol", "smb2", "startdate", "starttime", "boot time", "date", "vuln", "securitymode", "smb2smb3", "file system", "leasing", "smbv2 server", "skype", "skype version", "skype author", "probes", "extension value", "number", "register sip", "file", "sip session", "true", "ekiga", "home", "user agent", "sip from", "request source", "request sip", "shodanapi key", "shodan", "shodan api", "sn pn", "apache httpd", "proto", "product parent", "xmltotext", "sunw", "instance urn", "product version", "product urn", "product defined", "instance id", "cpus", "probe", "xport", "samba", "samba heap", "cve20121182", "pidl", "zdican1503", "msrpc call", "szl request", "sendreceive", "offset", "siemens s7", "action", "plcscan", "copyright", "module type", "idle", "user on", "from since", "commondirs", "cve20177494", "payloadx86", "payloadx64", "samba remote", "rtsp", "rtsp urls", "describe", "setup", "play", "teardown", "roca", "detects", "return", "ssltls", "nse library", "pop3", "capa command", "user capa", "respcodes uidl", "pipelining stls", "top sasl", "rpc program", "rpc port", "sendpacket", "receivepacket", "rpc number", "rpc protocol", "host table", "port table", "winpcap", "getinfo", "pro1000 mt", "desktop adapter", "hamachi virtual", "winpcap remote", "capture daemon", "password1", "rmi registry", "tcclassdesc", "flags", "field count", "tcnull", "tcblockdata", "oraclesun", "custom data", "classpath", "java management", "custom", "martin holst", "swende", "performs brute", "unix rlogin", "unix", "item", "node name", "crypto version", "skerl version", "os mon", "basho version", "lager version", "cluster info", "luke version", "sasl version", "time", "odd response", "make sure", "diff", "unix rexec", "horizontal", "hostaction", "architecture", "filter", "redis", "realvnc", "cve20062369", "adderlink ip", "send", "cvssv2", "medium", "tpdu", "cve20120002", "ms12020 remote", "risk factor", "w2016", "credssp", "ntlmssp", "w16gasrv01", "success", "security layer", "early user", "rdstls", "rdp encryption", "fips", "rdp protocol", "knownprotocols", "wolfenstein", "enemy territory", "nexuiz", "quake iii", "arena", "openarena", "basic options", "other options", "getstatus", "statusresp", "quake3 game", "toni ruottu", "delay", "tcp packet", "maximum number", "mean", "numtrips", "delta", "qnx qconn", "qconn daemon", "root", "brendan coles", "puppet ca", "puppet naive", "csrs", "dummycsr", "defaultnode", "defaultenv", "paths", "response", "puppet server", "firmware", "pptp", "rt57i author", "activepop3", "pop3 ntlm", "pop3test2", "apop", "pop server", "pop3 account", "printer job", "language", "pjlreadymessage", "aaron leininger", "prev", "rstart", "ssl support", "force protocol", "ssl encryption", "plc type", "model number", "firmware date", "pcworx message", "nse script", "pcworx", "program", "phoenix contact", "pcanywhere", "xorkey", "mtus", "ipprotoudp", "ipprototcp", "pmtu", "pathmtuprobe", "path mtu", "drop", "hash", "key1", "seed", "noise", "oracle virtual", "server agent", "python", "http get", "basehttp", "virtual server", "get request", "oracle tns", "errcodes", "decodevsnnum", "decodes", "vsnnum version", "tns header", "tns packet", "unit size", "oracle", "checkaccount", "count", "oracle user", "october", "critical patch", "maxretries", "defaultaccounts", "dhiru kholia", "authvfrdata", "account", "device type", "uptime", "nack", "kernel version", "device", "mask", "alarm", "bad login", "nson", "openlookup", "arizona", "nson int", "parsefloat", "parses", "paradise", "ofpthello", "openflow", "initial packet", "newer", "jay smith", "mak kolybabi", "size", "memory card", "response code", "omron fins", "system use", "program area", "iom size", "expansion dm", "openvas manager", "target hosts", "firewall", "hosts", "nrpeprotocols", "warning", "nrpestates", "nrpecommands", "crc32constants", "i2 i4", "queries nagios", "remote plugin", "executor", "critical", "nepclientmacid", "serverhslen", "finalhslen", "nping echo", "echo mode", "activenntp", "nntp", "nntptest2", "ohost", "rhost", "job entry", "ohostrhost", "nje server", "nje password", "nje node", "mountpath", "nfsopen", "filesystem", "blocksize", "shows nfs", "showmount", "rpc query", "rpc library", "mount", "read lookup", "getattr", "readdirplus", "lookup", "delete", "loginresponse", "nexpose nsc", "netbuster", "netbus", "extends", "sv p", "defaultfields", "ntp server", "refid", "stratum", "network time", "reference", "applications", "log traffic", "volume", "wave", "synth", "netbus backdoor", "access", "netbus server", "nessus web", "nessus", "network data", "ndmp", "nas device", "amanda", "bacula", "ca arcserve", "commvault", "simpana", "emc networker", "exec", "device0000", "os version", "novell netware", "core protocol", "server name", "tree name", "windows2003", "skullsecurity", "netbios user", "netbios mac", "vmware", "servername", "workstationname", "netbios ns", "hewlett packard", "andrey zhukov", "ussc", "exported block", "readonly", "negotiation", "displays", "network block", "device protocol", "nbd server", "maps", "wan port", "nat port", "natpmp", "successfully", "wan ip", "apple airport", "natpmp protocol", "express", "extreme", "apple time", "capsule", "ddwrt", "mysql", "mariadbmysql", "mysqlmariadb", "mariadb", "cve20122122", "select distinct", "mysql database", "select host", "autocommit", "thread id", "support41auth", "mysql error", "mysql server", "kingcope", "dumps", "john", "ripper", "appropriate db", "review", "adminaccounts", "cis mysql", "skip", "create user", "verify", "super", "shutdown", "reload", "murmur", "udp port", "murmur server", "murmur service", "nmap service", "udp probe", "tcp service", "i4 i4", "igmp traceroute", "query", "source address", "static", "multicast group", "fwdcode", "library", "configuration", "enabled", "dns suffix", "dbcount", "tablecount", "select", "microsoft sql", "activesql", "dbtest2", "disconnect", "rslimit", "host script", "port script", "sql servers", "getname", "servers", "objectid", "select name", "from", "johntheripper", "dump", "dac port", "browser service", "dedicated admin", "dac feature", "sqlserver", "sql mail", "database mail", "dmo xps", "login success", "policy agent", "dhcp client", "lrpc endpoint", "msrpc endpoint", "remote fw", "dvmrp ask", "neighbors", "dvmrp", "neighbor", "igmp", "dvmrp code", "iterate", "major", "publish", "mqtt broker", "sanity", "mqtt", "indicate", "mqtt protocol", "topic", "connack", "mongodb build", "server status", "mongodb", "database", "error message", "httpstorage", "gateway target", "modbus", "to response", "formrsid", "illegal data", "slave device", "scada modbus", "scada", "switchmode", "mobile mouse", "os x", "attempted", "rpa tech", "connected30", "api routeros", "xmlreq", "methodname", "param", "methodcall", "metasploit rpc", "xdax00x20", "ruby version", "api version", "gathers", "api guide", "host name", "reqid", "stat", "nodes", "hostname", "mnesia version", "stdlib version", "auth failure", "agentguid", "didier stevens", "msie", "start", "mcafee epolicy", "eposerver", "instroot", "sap max", "dbmserver", "tn3270e", "unit", "tn3270e server", "logical unit", "macdst", "cadmus computer", "host id", "ipv4 address", "icon image", "repeater ap", "lineage", "printervidpid", "lexmark s302", "hbn3", "lexmark", "dcnet", "dccqure", "cnusers", "ldap", "qfilter", "dcfunctid", "cnconfiguration", "dcfunc", "cnschema", "cnservers", "ocqure", "nmas get", "allow admin", "ldap username", "ldap password", "cnadmin", "cnpaka", "login correct", "openldap", "ldap base", "ad discussion", "kerberos realm", "kerberos", "krb5", "asn1encoder", "realm", "knx address", "knxdibknxmedium", "knx gateway", "knx description", "din en", "http", "niklaus schiess", "java debug", "wire protocol", "jdwp", "java", "internet", "michael schierl", "method run", "java class", "b i8", "sat aug", "daylight time", "portal", "name service", "isns", "auth reason", "collects", "receive", "irc server", "d p6667", "e binsh", "vv localhost", "authenticate", "cap req", "internet relay", "chat", "imap", "imap4rev1", "imap4 literal", "blocked", "nick", "none", "motd", "nquitn", "stats", "lusers", "pingpong", "nmap brutern", "rxbot", "agobot", "slackbot", "mytob", "rbot", "sdbot", "ircbot", "vanbot", "gtbot", "spybot", "storm", "knx search", "device mac", "knxhpaiport", "knxdibdevmac", "discovers", "ipv6 suffix", "cpu usage", "cisco ios", "november", "netscreen", "qtypenodename", "qtypenoop", "qtype", "stringify", "ipv6 node", "qtypestrings", "stevecasner", "ff02000000", "20060921", "19941101", "kanglee", "20070202", "ff0x000000", "discovery", "ssdp", "passauth", "userauth", "conninfo", "channel auth", "claudiu perta", "rakp cipher", "ipmi interface", "cipher zero", "state service", "ipmi rpc", "aggressive mode", "vpngroup", "main mode", "ikeresponse", "ike service", "main", "hybrid", "testfr", "startdt", "asdu address", "getasdu", "cicna1", "iec104", "startdt act", "meeina1", "cicna1broadcast", "ip id", "ip ids", "numprobes", "shortport", "sslcert", "https", "iphttps", "city", "islands", "republic", "united", "startpos", "philadelphia", "recordbuf", "char", "jackson", "download", "dayton", "hill", "terre", "austin", "rouge", "green", "phoenix", "rapid", "diego", "vegas", "albania", "armenia", "belarus", "cuba", "indonesia", "lucia", "mexico", "panama", "paraguay", "slovakia", "chad", "uruguay", "april", "placemark", "point", "nmap registry", "required", "google maps", "api key", "google map", "premium", "google static", "maps api", "png8", "bing maps", "bing map", "road", "rest api", "rest", "jpeg", "fremont", "apikey", "a sting", "new jersey", "icmp echo", "lan host", "icmp", "nmap host", "information", "results", "dbinfo", "ibm informix", "dynamic server", "select first", "dbhostname", "full", "driver class", "client name", "impress version", "remote server", "impress remote", "remote pin", "firefox os", "clientname", "bruteforce", "activeimap", "ntlm challenge", "starttls", "socket receive", "imap ntlm", "istag", "resptbl", "icap service", "icap", "echo", "echo demo", "urlcheck demo", "udp iax2", "revision", "control frame", "poke request", "voip", "ferdy riphagen", "asterisk iax2", "xssedsite", "xssedsearch", "xssedfound", "xssedfixed", "xssedmirror", "xssedurl", "vlc streamer", "developer", "user guides", "increase", "base path", "ange gutek", "peter hill", "search", "wordpressapiurl", "wp root", "wordpress", "defaultwpuri", "initial check", "default uri", "default uservar", "default passvar", "webdav", "propfind", "copy", "move", "post", "proppatch", "trace", "server header", "modsecurity", "webknight", "binarysec", "cloudflare", "bigip", "xml gateway", "airlock", "profense", "netscaler", "idsipswaf", "web application", "attackvectorsn1", "wafidsips", "barracuda", "phpids", "latest", "paul amar", "rob nicholls", "rompager", "andrew orr", "bid71744 cve", "wordpress rest", "injection", "sql injection", "joomla", "regexpsuccess", "sql statement", "mysql user", "python script", "intel active", "params", "cve20175689", "bid98269", "nonce", "apache struts", "cve20175638", "http method", "url path", "ms15034", "http protocol", "system account", "groovy", "elasticsearch", "rce exploit", "java version", "json", "cve20151427", "wordpress cm", "php code", "cm download", "manager plugin", "cve20148877", "php system", "drupal core", "drupal", "auth sql", "title", "formid", "cisco asa", "sip denial", "sip inspection", "cisco adaptive", "software", "bug id", "cscuh44052", "ssl vpn", "clientless ssl", "vpn session", "asdm privilege", "asdm access", "cscuj33496", "minor", "zimbra", "ajxmsg", "zmsg", "zmmsg", "ajxkeys", "zmkeys", "zdmsg", "december", "file inclusion", "concept", "url redirection", "web server", "referer header", "cve20136786", "xss injection", "rails", "ruby", "cve20130156", "cdata", "yaml", "parameter", "denial", "cve20121823", "web development", "html", "phpcgi", "reverse proxy", "apache http", "contextis", "lan ip", "security bypass", "bid49957", "proxy", "apache web", "head request", "pt80443", "bid49303", "coldfusion8", "hmac", "salt", "http server", "sha1 hmac", "traversal", "bid42342", "coldfusion", "cve20100738", "jboss target", "path2", "array", "object", "services", "blazeds", "livecycle data", "adobe xml", "external entity", "livecycle", "webmin", "usermin", "cve20063392", "webmin file", "disclosure", "cve20093733", "vmware path", "vmware esx", "tony flick", "shmoocon", "sha1", "sha256", "eicar test", "resource", "virustotal", "eicartestfile", "readfile", "searches", "http response", "identify", "characters", "spiders", "xfoo", "evoxabout", "trane tracer", "trane", "tracer sc", "hwver12ab", "airhandler", "xxxxx", "normalizepath", "depth", "http1", "http trace", "uri author", "tplink wireless", "wr740n", "wr740nd", "wr2543nd", "confirmed", "wr842nd", "wa901nd", "wr941n", "wr941nd", "scanme", "displaytitle", "wikipedia", "repository uuid", "repository root", "node kind", "elements", "url relative", "author count", "unfiltered", "crawls", "posts", "field", "phase", "crawler", "html escaping", "posted data", "form", "html title", "twitter", "xfwd", "otherwise", "mfctearsample", "phpcrawl", "httplibs", "nmap scripting", "engine", "snoopy", "zendhttpclient", "change", "status code", "eddie bell", "timewith", "bestopt", "slowloris dos", "slowloris", "halfhttp", "dos attack", "timewithout", "threadcount", "timelimit", "dosed", "monitor", "threads", "sendinterval", "servernotice", "stopall", "reason", "ubuntu", "request type", "cookie", "referer", "shellshock", "http shellshock", "http header", "sending", "setcookie", "deny", "hsts", "cachecontrol", "pragma", "xss filter", "will", "uris", "sandbox", "sap netweaver", "sap instance", "km unit", "disabled", "robtex", "robtex service", "add list", "discount", "nwshp news", "relpage", "univ cobrand", "url default", "august", "informs", "qweb server", "ssl port", "photo station", "device model", "firmware build", "force ssl", "v2 web", "network video", "music", "uploads", "http put", "http proxy", "shared", "phpself", "reflected cross", "site scripting", "phpselfprobe", "local file", "inclusion", "exploitquery", "defaultfile", "defaultdir", "remote file", "basepath", "passwd", "etcpasswd", "query string", "printing", "multi", "http redirect", "valid http", "pattern", "joao", "activeweb", "telme", "http ntlm", "android", "khtml", "gecko", "http verb", "vulnerable uri", "allow", "safemethods", "public", "public header", "unsafemethods", "balancer", "jvmroute", "lbgroup", "sticky", "jsessionid", "remove", "stisvc", "looks", "denis", "majordomo2", "cve20110049", "michael brooks", "web page", "pierre lalet", "litespeed web", "cve20102333", "http request", "joomla web", "internal ip", "leaked", "host header", "microsoft iis", "jsonp", "jsonp endpoint", "policy", "vinamra bhatia", "gosingle", "root folder", "iis document", "research paper", "apple id", "apple mobileme", "find my", "iphone", "macbook air", "wifi", "mobileme web", "mac mini", "hp ilo", "productid", "uuid", "xmldata", "xml file", "builtinpatterns", "validate", "azaz09", "email", "group1", "google", "safe browsing", "sign", "git revision", "project author", "span", "git repository", "trunclength", "jboss", "statusok", "rails web", "jboss java", "location", "look", "insert", "michael kohl", "citizen428", "frontpage", "frontpage login", "path prefix", "atm anything", "uservar", "passvar", "stop", "mime", "content", "uploadrequest", "exploits", "mime type", "destination", "separator", "trying path", "maxpagecount", "feeds", "feedsrefs", "please", "atom", "reads", "wd2500js60mhb1", "md5 hash", "element", "socialtext", "http default", "nasl script", "ftp server", "ftp login", "gutek", "tagtable", "gpstagtable", "gpstaglatitude", "tagmake", "tagmodel", "tagdatetime", "taggpsinfo", "gpstaglongitude", "flash", "speed", "error code", "checkdir", "general", "views", "pppoe", "echolife hg530", "huawei hg5xx", "boolean", "hg530x", "direct path", "modules", "themes", "token", "id file", "input", "jim brass", "warrick brown", "martin", "jsfuncpatterns", "jscallspatterns", "xss occur", "javascript", "please note", "dlink", "dir120", "di624s", "di524up", "di604s", "di604up", "di604", "tmg5240", "ascii", "genericlines", "landeskrc", "tlssessionreq", "getrequest", "httpoptions", "lpdstring", "weird", "consumingdetect", "html content", "rapiddetect", "html code", "callback", "django", "missing", "nagios", "cactiez", "logincombos", "httplike", "csrf", "form id", "form action", "cross site", "adobe flash", "adobe reader", "silverlight", "crossdomain", "forgery", "granto", "origin", "sharing", "cors", "get post", "options author", "patch", "examines", "specific url", "specific cookie", "grepphp", "mediawiki", "generic backup", "patterns", "line number", "maximum value", "cf version", "fri mar", "xmltags", "anyconnect", "cisco ssl", "ddos", "pngiconquery", "gificonquery", "stylesheetquery", "vendorsquery", "cakephp version", "cakephp visit", "hostip", "alpha", "bigipserver", "f5 bigip", "seth jackson", "spam", "virus firewall", "barracuda spam", "api password", "mta sasl", "gateway", "dns cache", "shadow", "apache axis2", "axis2services", "defaultpath", "axis2 service", "awstats totals", "defaultcmd", "defaulturi", "sort", "common", "awstats total", "avaya ip", "office", "office user", "listing", "office voip", "basic", "digest", "router", "unauthorized", "debug", "http debug", "debug request", "response body", "apache server", "apache version", "common default", "google adsense", "amazon", "site", "grabs", "adsense", "magicuri", "gethostname", "finds", "sheila berta", "hostmapserver", "vendor", "gatewaywithwifi", "ingraham", "linksys", "linksys e1200", "e1200", "hbase", "hbase version", "hbase compiled", "quorum", "apache hbase", "hadoop database", "wed may", "hadoop", "http status", "logs", "apache hadoop", "hadoop version", "checkpoint size", "checkpoint", "capacity", "non dfs", "datanodes", "live", "dead", "wed sep", "cest", "line", "state", "datanode http", "log directory", "watch", "gps time", "gpsd network", "sat apr", "gopher", "taxf", "tax forms", "load", "network", "transmitted", "mount point", "fs type", "gkrellm service", "size available", "goodbye", "corba naming", "ganglia", "ganglia version", "owner", "proftpd", "proftpd server", "cve20104221", "telnet iac", "telnetiac", "telnetkill", "cmdshellid", "shell command", "cve20112523", "syst", "mode", "no data", "syst error", "logged", "stream", "cmdshell", "send command", "opie", "cve20101938", "ftpd", "arciemowicz", "adam", "zabrocki", "sergey khegay", "ieuser", "freelancer", "rp server", "freelancer game", "niagara fox", "java hotspot", "server vm", "americachicago", "tridium", "systems", "billy rios", "flume", "environment", "se runtime", "target port", "helperport", "ethernet type", "eric leblond", "ip packet", "probetimeout", "icmp time", "icmp payload", "recvtimeout", "ip ttl", "firewalk", "combo", "cups service", "hp laserjet", "print", "documentation", "cups", "cemt", "access denied", "authorized", "cemt inquire", "dfltuser", "db2conn", "gutek ange", "welcome", "linux version", "fcrdns mismatch", "no ptr", "reverse dns", "ptr record", "address book", "safari", "event protocol", "buddy", "erlang port", "mapper daemon", "x00x01n", "gmbh", "corporation", "limited", "company", "automation", "encoder", "inst", "tips", "tech", "life", "pump", "peap", "eapttls", "eaptls", "eapmschapv2", "identity", "ttls", "mschap", "nbstat", "sshhostkey", "ssh host", "p445443", "win2ksrv001", "server platform", "instance name", "apache derby", "drda protocol", "drda excsat", "sample", "ibm db2", "informix", "get dpap", "ibm lotus", "domino", "mjacksson", "lotus domino", "peak", "console", "release", "windows32", "socketpool", "docker", "docker service", "gitcommit", "parsedomain", "cname", "scripttype", "parsetxt", "bulletproof", "sbl123456", "cn online", "ip range", "zeus botnet", "ztdns", "name ip", "dns update", "kerberos kdc", "change service", "catalog", "argfilter", "kerberos passwd", "ldap servers", "canon", "mg5200 series", "canon mg5200", "ivec", "bjnp protocol", "ftp version", "tcp portarg", "portarg", "dns service", "version196609", "version196616", "ossi0x1f6", "felix groebert", "txid", "duane wessels", "authority rrs", "answer rrs", "answer record", "get txt", "txtlen", "dns recursion", "ogjdvm author", "spoofed reply", "cve20081447", "nsid", "ch txt", "dns nameserver", "ssu p", "dnschars", "nsec", "dnscharsinv", "label", "nsec record", "removesuffix", "result name", "bumpdomain", "nsec response", "easy", "nsec3", "dnssec nsec3", "nsec3 walking", "dnsnsecenum", "getprefixmask", "dns lookup", "ipv6 network", "ipv6 prefix", "noerror", "nxdomain result", "peter", "bool", "slowdown", "launches", "david", "victoria", "halifax", "casper", "barry", "soa expire", "soa refresh", "soa retry", "soa mname", "soa record", "dns check", "refresh", "domains", "timedmultiplier", "timednumsamples", "stddev", "alexadomains", "aaaa", "dns bruteforce", "added target", "resolve", "commfile", "argcategory", "dns antispam", "spam received", "daemon command", "allows", "dict protocol", "show server", "index data", "client", "dicom service", "aet check", "dicom", "acceptreject", "dicom server", "titles", "hence", "dhcpinform", "dhcp request", "dhcp server", "dhcpack", "subnet mask", "dhcp option", "strfixedstart", "listfixedstart", "login error", "dictfixedstart", "db2 server", "transaction", "database server", "nodetype1", "db2commtcpip", "db2inst1", "control center", "db2 packet", "wed mar", "getsessionid", "daapitemlimit", "fever ray", "getdatabaseid", "limit", "daap server", "cvs pserver", "repo", "series", "ubu1110", "raw printer", "stopped", "cups printing", "cupspdf printer", "couchdb", "mochiweb", "admin party", "discard", "couchdb http", "testsuitedb", "testsuitedba", "moneyz", "block", "coap endpoint", "reporting", "payload", "coap", "u5683 su", "analyzes", "clamav", "scan", "scan command", "clamav remote", "citrixsrv01", "citrix xml", "citrix", "ica browser", "citrixsrv02", "anonymous", "notepad", "appdata", "settingkey", "xml service", "must change", "nextuser", "citrix pn", "cics user", "cics login", "cesl", "signon", "on to", "cics id", "valid cics", "cesf", "cesn", "cata", "numtrials", "cccam service", "trial", "cccam dvr", "cassandra", "cluster name", "cassinc", "test cluster", "account success", "manager control", "willing", "device pub", "computer", "wpad", "dhcp", "web proxy", "dhcp discovery", "dns discovery", "wpad host", "wpad file", "machex", "sent wol", "wol packet", "wakes", "mac return", "servicerequest", "model name", "bubbatwo dlna", "justin maggard", "model descr", "debian", "activation code", "tellsticknet", "acca12345678", "inet", "ping request", "sybase anywhere", "netmask", "romm", "firmm", "serial", "macserial", "romversion", "firmwareversion", "sonicwall", "ripng", "ripng response", "ripng request", "ripv2", "ripv2 request", "tags", "pppoe discovery", "pppoed", "ipv4 format", "ip header", "bbi2", "pim hello", "i2i2", "helloraw", "multicast", "pim multicast", "pcduo gateway", "pcduo remote", "srvname", "ospfv2 database", "print ospfv2", "ospfv2 hello", "ospfv2 ls", "area id", "destination mac", "captured ospfv2", "callit", "nbname", "broadcastaddr", "mssqldiscover", "yesno", "decoders", "uport", "hsrp", "dropbox", "server id", "slave port", "jenkins", "argaddress", "jenkinspkt", "jenkins auto", "apache jserv", "protocol server", "pathhelloworld", "hid discoveryd", "eigrp", "internal route", "external route", "max amount", "internal", "dropboxport", "key2", "listens", "nmap target", "dhcpoffer", "clientid", "ip pool", "ipid", "dhcpv6 request", "solicit", "message type", "advertise", "ba9876", "domain search", "db2getaddr", "ubu804db2e", "edusrv011", "devtype", "null udp", "cve20111002", "avahi null", "wait time", "header instance", "bbi2bbi4", "config info", "etherbroadcast", "pataoe", "brantley coile", "total", "nse argument", "dht protocol", "torrentfile", "dht discovery", "serviceproxy", "obtains", "bitcoin server", "prior", "node id", "lastblock", "bitcoin", "bacnet", "sdn bhd", "bacnet packet", "titan", "landis", "carrier", "simplex", "notifier", "walker", "aust", "savant", "monitoring", "energy", "starman", "covenant", "king", "etap", "echelon", "arcom", "vanti", "backorifice", "container", "bocrypt", "boversion", "bohostname", "system info", "magicstring", "ping reply", "pong", "pingpacket", "team cymru", "peer", "amqp", "erlangotp", "rabbitmq", "plain amqplain", "dragomir", "allseeing eye", "team death", "novodondo", "blue", "herox", "different ajp", "jsp test", "options request", "ajp service", "public folder", "shows afp", "utf8 server", "uams", "server flags", "flags hex", "password saving", "copy file", "machine type", "afpversion", "afpx03", "apple mac", "dir method", "maxfiles", "cve20100533", "directory", "afp server", "permission uid", "gid size", "time filename", "parameter error", "netatalk", "apple filing", "formatipv4", "isatap", "server ipv4", "client ipv4", "admin email", "parse daemon", "license", "acarsd" ], "references": [ "scripts", "vuze-dht-info.nse", "xmlrpc-methods.nse", "xdmcp-discover.nse", "x11-access.nse", "wsdd-discover.nse", "whois-domain.nse", "weblogic-t3-info.nse", "vulners.nse", "wdb-version.nse", "vtam-enum.nse", "voldemort-info.nse", "vnc-brute.nse", "vnc-title.nse", "vnc-info.nse", "vmauthd-brute.nse", "xmpp-brute.nse", "vmware-version.nse", "xmpp-info.nse", "versant-info.nse", "url-snarf.nse", "upnp-info.nse", "whois-ip.nse", "unusual-port.nse", "unittest.nse", "ventrilo-info.nse", "uptime-agent-info.nse", "tso-enum.nse", "ubiquiti-discovery.nse", "tn3270-screen.nse", "tso-brute.nse", "tls-ticketbleed.nse", "tls-nextprotoneg.nse", "tls-alpn.nse", "tftp-enum.nse", "traceroute-geolocation.nse", "telnet-ntlm-info.nse", "teamspeak2-version.nse", "targets-traceroute.nse", "targets-xml.nse", "telnet-encryption.nse", "targets-sniffer.nse", "telnet-brute.nse", "targets-ipv6-wordlist.nse", "targets-ipv6-multicast-mld.nse", "targets-ipv6-multicast-slaac.nse", "targets-asn.nse", "targets-ipv6-multicast-invalid-dst.nse", "targets-ipv6-multicast-echo.nse", "svn-brute.nse", "stun-version.nse", "targets-ipv6-map4to6.nse", "sslv2.nse", "stuxnet-detect.nse", "sstp-discover.nse", "supermicro-ipmi-conf.nse", "ssl-heartbleed.nse", "stun-info.nse", "ssl-known-key.nse", "sslv2-drown.nse", "ssl-cert-intaddr.nse", "ssl-ccs-injection.nse", "ssl-enum-ciphers.nse", "ssl-cert.nse", "ssh-publickey-acceptance.nse", "sshv1.nse", "ssl-dh-params.nse", "ssl-date.nse", "ssh-auth-methods.nse", "ssl-poodle.nse", "ssh-run.nse", "ssh2-enum-algos.nse", "ssh-hostkey.nse", "socks-auth-info.nse", "snmp-win32-users.nse", "socks-brute.nse", "snmp-sysdescr.nse", "snmp-win32-software.nse", "snmp-win32-services.nse", "snmp-win32-shares.nse", "ssh-brute.nse", "snmp-processes.nse", "snmp-hh3c-logins.nse", "snmp-info.nse", "snmp-brute.nse", "snmp-ios-config.nse", "snmp-interfaces.nse", "socks-open-proxy.nse", "snmp-netstat.nse", "smtp-strangeport.nse", "smtp-vuln-cve2011-1720.nse", "smtp-ntlm-info.nse", "sniffer-detect.nse", "smtp-enum-users.nse", "smb-server-stats.nse", "smtp-commands.nse", "smtp-vuln-cve2011-1764.nse", "smtp-brute.nse", "smb-webexec-exploit.nse", "smtp-vuln-cve2010-4344.nse", "smb-vuln-webexec.nse", "smb-vuln-regsvc-dos.nse", "smtp-open-relay.nse", "smb-vuln-ms17-010.nse", "smb-vuln-ms10-061.nse", "smb-vuln-ms10-054.nse", "smb-vuln-ms07-029.nse", "smb-vuln-ms06-025.nse", "smb-system-info.nse", "smb-protocols.nse", "smb-flood.nse", "smb-enum-domains.nse", "sip-methods.nse", "script.db", "smb-security-mode.nse", "smb-vuln-cve2009-3103.nse", "smb-psexec.nse", "smb-vuln-ms08-067.nse", "smb-print-text.nse", "smb-os-discovery.nse", "smb-mbenum.nse", "smb-ls.nse", "smb-enum-users.nse", "smb-vuln-conficker.nse", "smb-enum-shares.nse", "smb-enum-sessions.nse", "smb-enum-services.nse", "smb-enum-processes.nse", "smb-enum-groups.nse", "rsync-list-modules.nse", "smb-double-pulsar-backdoor.nse", "smb-brute.nse", "smb2-vuln-uptime.nse", "smb2-time.nse", "smb2-security-mode.nse", "smb2-capabilities.nse", "skypev2-version.nse", "sip-enum-users.nse", "sip-call-spoof.nse", "sip-brute.nse", "shodan-api.nse", "servicetags.nse", "samba-vuln-cve-2012-1182.nse", "s7-info.nse", "rusers.nse", "smb-vuln-cve-2017-7494.nse", "rtsp-url-brute.nse", "rtsp-methods.nse", "rsync-brute.nse", "rsa-vuln-roca.nse", "pop3-capabilities.nse", "rpcinfo.nse", "rpc-grind.nse", "rpcap-info.nse", "rpcap-brute.nse", "rmi-vuln-classloader.nse", "rmi-dumpregistry.nse", "rlogin-brute.nse", "riak-http-info.nse", "rfc868-time.nse", "rexec-brute.nse", "reverse-index.nse", "redis-info.nse", "redis-brute.nse", "realvnc-auth-bypass.nse", "rdp-vuln-ms12-020.nse", "rdp-ntlm-info.nse", "rdp-enum-encryption.nse", "quake3-master-getservers.nse", "quake3-info.nse", "qscan.nse", "qconn-exec.nse", "puppet-naivesigning.nse", "pptp-version.nse", "pop3-ntlm-info.nse", "pop3-brute.nse", "pjl-ready-message.nse", "port-states.nse", "pgsql-brute.nse", "pcworx-info.nse", "pcanywhere-brute.nse", "path-mtu.nse", "p2p-conficker.nse", "ovs-agent-version.nse", "oracle-tns-version.nse", "oracle-sid-brute.nse", "oracle-enum-users.nse", "oracle-brute-stealth.nse", "oracle-brute.nse", "openwebnet-discovery.nse", "openvas-otp-brute.nse", "openlookup-info.nse", "openflow-info.nse", "omron-info.nse", "omp2-enum-targets.nse", "omp2-brute.nse", "nrpe-enum.nse", "nping-brute.nse", "nntp-ntlm-info.nse", "nje-pass-brute.nse", "nje-node-brute.nse", "nfs-statfs.nse", "nfs-showmount.nse", "nfs-ls.nse", "nexpose-brute.nse", "netbus-version.nse", "ntp-info.nse", "netbus-info.nse", "netbus-brute.nse", "netbus-auth-bypass.nse", "nessus-xmlrpc-brute.nse", "nessus-brute.nse", "ndmp-version.nse", "ndmp-fs-info.nse", "ncp-serverinfo.nse", "ncp-enum-users.nse", "nbstat.nse", "nbns-interfaces.nse", "nbd-info.nse", "nat-pmp-mapport.nse", "nat-pmp-info.nse", "mysql-vuln-cve2012-2122.nse", "mysql-variables.nse", "mysql-users.nse", "mysql-query.nse", "mysql-info.nse", "mysql-enum.nse", "mysql-empty-password.nse", "mysql-dump-hashes.nse", "mysql-databases.nse", "mysql-brute.nse", "mysql-audit.nse", "murmur-version.nse", "mtrace.nse", "ms-sql-xp-cmdshell.nse", "ms-sql-tables.nse", "ms-sql-query.nse", "ms-sql-ntlm-info.nse", "ms-sql-hasdbaccess.nse", "ms-sql-empty-password.nse", "ms-sql-dump-hashes.nse", "ms-sql-dac.nse", "ms-sql-config.nse", "ms-sql-brute.nse", "msrpc-enum.nse", "mrinfo.nse", "mqtt-subscribe.nse", "ms-sql-info.nse", "mongodb-info.nse", "mongodb-databases.nse", "mongodb-brute.nse", "modbus-discover.nse", "mmouse-exec.nse", "mmouse-brute.nse", "mikrotik-routeros-brute.nse", "metasploit-xmlrpc-brute.nse", "metasploit-msgrpc-brute.nse", "metasploit-info.nse", "memcached-info.nse", "membase-http-info.nse", "membase-brute.nse", "mcafee-epo-agent.nse", "maxdb-info.nse", "lu-enum.nse", "lltd-discovery.nse", "lexmark-config.nse", "ldap-search.nse", "ldap-rootdse.nse", "ldap-novell-getpass.nse", "ldap-brute.nse", "krb5-enum-users.nse", "knx-gateway-info.nse", "jdwp-version.nse", "jdwp-inject.nse", "jdwp-info.nse", "jdwp-exec.nse", "isns-info.nse", "iscsi-info.nse", "iscsi-brute.nse", "irc-unrealircd-backdoor.nse", "irc-sasl-brute.nse", "imap-capabilities.nse", "irc-info.nse", "irc-brute.nse", "irc-botnet-channels.nse", "knx-gateway-discover.nse", "ipv6-ra-flood.nse", "ipv6-node-info.nse", "ipv6-multicast-mld-list.nse", "ipmi-version.nse", "ipmi-cipher-zero.nse", "ipmi-brute.nse", "ike-version.nse", "iec-identify.nse", "ipidseq.nse", "ip-https-discover.nse", "ip-geolocation-maxmind.nse", "ip-geolocation-map-kml.nse", "ip-geolocation-map-google.nse", "ip-geolocation-map-bing.nse", "ip-geolocation-ipinfodb.nse", "ip-geolocation-geoplugin.nse", "ip-forwarding.nse", "informix-tables.nse", "informix-query.nse", "informix-brute.nse", "impress-remote-discover.nse", "imap-ntlm-info.nse", "imap-brute.nse", "icap-info.nse", "iax2-version.nse", "iax2-brute.nse", "http-xssed.nse", "http-vlcstreamer-ls.nse", "http-wordpress-users.nse", "http-wordpress-enum.nse", "http-wordpress-brute.nse", "http-webdav-scan.nse", "http-waf-fingerprint.nse", "http-waf-detect.nse", "http-vuln-wnr1000-creds.nse", "http-vuln-misfortune-cookie.nse", "http-vuln-cve2017-1001000.nse", "http-vuln-cve2017-8917.nse", "http-vuln-cve2017-5689.nse", "http-vuln-cve2017-5638.nse", "http-vuln-cve2015-1635.nse", "http-vuln-cve2015-1427.nse", "http-vuln-cve2014-8877.nse", "http-vuln-cve2014-3704.nse", "http-vuln-cve2014-2129.nse", "http-vuln-cve2014-2128.nse", "http-vuln-cve2014-2127.nse", "http-vuln-cve2014-2126.nse", "http-vuln-cve2013-7091.nse", "http-vuln-cve2013-6786.nse", "http-vuln-cve2013-0156.nse", "http-vuln-cve2012-1823.nse", "http-vuln-cve2011-3368.nse", "http-vuln-cve2011-3192.nse", "http-vuln-cve2010-2861.nse", "http-vuln-cve2010-0738.nse", "http-vuln-cve2009-3960.nse", "http-vuln-cve2006-3392.nse", "http-vmware-path-vuln.nse", "http-virustotal.nse", "http-vhosts.nse", "http-userdir-enum.nse", "http-unsafe-output-escaping.nse", "http-trane-info.nse", "http-sitemap-generator.nse", "http-trace.nse", "http-tplink-dir-traversal.nse", "http-title.nse", "http-svn-info.nse", "http-svn-enum.nse", "http-stored-xss.nse", "http-traceroute.nse", "https-redirect.nse", "http-useragent-tester.nse", "http-sql-injection.nse", "http-slowloris-check.nse", "http-slowloris.nse", "http-headers.nse", "http-shellshock.nse", "http-server-header.nse", "http-security-headers.nse", "http-sap-netweaver-leak.nse", "http-robtex-shared-ns.nse", "http-robots.txt.nse", "http-rfi-spider.nse", "http-referer-checker.nse", "http-qnap-nas-info.nse", "http-put.nse", "http-proxy-brute.nse", "http-robtex-reverse-ip.nse", "http-phpself-xss.nse", "http-phpmyadmin-dir-traversal.nse", "http-passwd.nse", "http-open-redirect.nse", "http-open-proxy.nse", "http-ntlm-info.nse", "http-mobileversion-checker.nse", "http-method-tamper.nse", "http-methods.nse", "http-mcmp.nse", "http-malware-host.nse", "http-majordomo2-dir-traversal.nse", "http-ls.nse", "http-litespeed-sourcecode-download.nse", "http-joomla-brute.nse", "http-internal-ip-disclosure.nse", "http-jsonp-detection.nse", "http-iis-webdav-vuln.nse", "http-iis-short-name-brute.nse", "http-icloud-sendmsg.nse", "http-icloud-findmyiphone.nse", "http-hp-ilo-info.nse", "http-grep.nse", "http-google-malware.nse", "http-gitweb-projects-enum.nse", "http-git.nse", "http-generator.nse", "http-frontpage-login.nse", "http-form-fuzzer.nse", "http-form-brute.nse", "http-fileupload-exploiter.nse", "http-fetch.nse", "http-feed.nse", "hddtemp-info.nse", "http-favicon.nse", "ftp-anon.nse", "http-exif-spider.nse", "http-errors.nse", "http-enum.nse", "http-drupal-enum-users.nse", "http-huawei-hg5xx-vuln.nse", "http-drupal-enum.nse", "http-domino-enum-passwords.nse", "http-dombased-xss.nse", "http-dlink-backdoor.nse", "fingerprint-strings.nse", "http-devframework.nse", "http-default-accounts.nse", "http-date.nse", "http-csrf.nse", "http-cross-domain-policy.nse", "http-cors.nse", "http-cookie-flags.nse", "http-config-backup.nse", "http-comments-displayer.nse", "http-coldfusion-subzero.nse", "http-cisco-anyconnect.nse", "http-chrono.nse", "http-cakephp-version.nse", "http-brute.nse", "http-bigip-cookie.nse", "http-barracuda-dir-traversal.nse", "http-backup-finder.nse", "http-axis2-dir-traversal.nse", "http-awstatstotals-exec.nse", "http-avaya-ipoffice-users.nse", "http-auth-finder.nse", "http-auth.nse", "http-aspnet-debug.nse", "http-apache-server-status.nse", "http-apache-negotiation.nse", "http-affiliate-id.nse", "http-adobe-coldfusion-apsa1301.nse", "hostmap-robtex.nse", "hostmap-crtsh.nse", "hostmap-bfk.nse", "hnap-info.nse", "hbase-region-info.nse", "hbase-master-info.nse", "hadoop-tasktracker-info.nse", "hadoop-secondary-namenode-info.nse", "hadoop-namenode-info.nse", "hadoop-jobtracker-info.nse", "hadoop-datanode-info.nse", "gpsd-info.nse", "gopher-ls.nse", "gkrellm-info.nse", "giop-info.nse", "ganglia-info.nse", "ftp-vuln-cve2010-4221.nse", "ftp-vsftpd-backdoor.nse", "ftp-syst.nse", "ftp-proftpd-backdoor.nse", "ftp-libopie.nse", "ftp-brute.nse", "ftp-bounce.nse", "freelancer-info.nse", "fox-info.nse", "flume-master-info.nse", "firewall-bypass.nse", "firewalk.nse", "cups-queue-info.nse", "cics-info.nse", "finger.nse", "fcrdns.nse", "eppc-enum-processes.nse", "epmd-info.nse", "enip-info.nse", "eap-info.nse", "duplicates.nse", "drda-info.nse", "drda-brute.nse", "dpap-brute.nse", "domino-enum-users.nse", "domcon-cmd.nse", "domcon-brute.nse", "docker-version.nse", "dns-zone-transfer.nse", "dns-zeustracker.nse", "dns-update.nse", "dns-srv-enum.nse", "bjnp-discover.nse", "banner.nse", "dns-service-discovery.nse", "dns-recursion.nse", "dns-random-txid.nse", "auth-spoof.nse", "dns-random-srcport.nse", "dns-nsid.nse", "dns-nsec-enum.nse", "dns-nsec3-enum.nse", "dns-ip6-arpa-scan.nse", "dns-fuzz.nse", "dns-client-subnet-scan.nse", "dns-check-zone.nse", "dns-cache-snoop.nse", "dns-brute.nse", "dns-blacklist.nse", "distcc-cve2004-2687.nse", "dict-info.nse", "dicom-ping.nse", "dicom-brute.nse", "dhcp-discover.nse", "deluge-rpc-brute.nse", "db2-das-info.nse", "daytime.nse", "daap-get-library.nse", "cvs-brute-repository.nse", "cvs-brute.nse", "cups-info.nse", "creds-summary.nse", "couchdb-stats.nse", "couchdb-databases.nse", "coap-resources.nse", "clock-skew.nse", "clamav-exec.nse", "citrix-enum-servers-xml.nse", "citrix-enum-servers.nse", "citrix-enum-apps-xml.nse", "citrix-enum-apps.nse", "citrix-brute-xml.nse", "cics-user-enum.nse", "cics-user-brute.nse", "cics-enum.nse", "cccam-version.nse", "cassandra-info.nse", "cassandra-brute.nse", "broadcast-xdmcp-discover.nse", "broadcast-wsdd-discover.nse", "broadcast-wpad-discover.nse", "broadcast-wake-on-lan.nse", "broadcast-versant-locate.nse", "broadcast-upnp-info.nse", "broadcast-tellstick-discover.nse", "broadcast-sybase-asa-discover.nse", "broadcast-sonicwall-discover.nse", "broadcast-ripng-discover.nse", "broadcast-rip-discover.nse", "broadcast-pppoe-discover.nse", "broadcast-ping.nse", "broadcast-pim-discovery.nse", "broadcast-pc-duo.nse", "broadcast-pc-anywhere.nse", "broadcast-ospf2-discover.nse", "broadcast-novell-locate.nse", "broadcast-networker-discover.nse", "broadcast-netbios-master-browser.nse", "broadcast-ms-sql-discover.nse", "broadcast-listener.nse", "broadcast-jenkins-discover.nse", "ajp-headers.nse", "broadcast-hid-discoveryd.nse", "broadcast-eigrp-discovery.nse", "broadcast-dropbox-listener.nse", "broadcast-dns-service-discovery.nse", "broadcast-dhcp-discover.nse", "broadcast-dhcp6-discover.nse", "broadcast-db2-discover.nse", "broadcast-bjnp-discover.nse", "broadcast-avahi-dos.nse", "broadcast-ataoe-discover.nse", "bittorrent-discovery.nse", "bitcoinrpc-info.nse", "bitcoin-info.nse", "bitcoin-getaddr.nse", "bacnet-info.nse", "backorifice-info.nse", "backorifice-brute.nse", "auth-owners.nse", "asn-query.nse", "amqp-info.nse", "allseeingeye-info.nse", "ajp-request.nse", "ajp-methods.nse", "ajp-brute.nse", "ajp-auth.nse", "afp-showmount.nse", "afp-serverinfo.nse", "afp-path-vuln.nse", "afp-ls.nse", "afp-brute.nse", "address-info.nse", "acarsd-info.nse", "https://seclists.org/nmap-dev/2011/q4/420", "https://viz.greynoise.io/analysis/001f6d4e-555b-49d3-a714-e71deea739d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 288, "FileHash-MD5": 52, "URL": 218, "hostname": 180, "email": 33, "CIDR": 14, "CVE": 76, "FileHash-SHA1": 48, "FileHash-SHA256": 841 }, "indicator_count": 1750, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "675 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66140ea725356bd028ab9f58", "name": "Dump from unbooted fresh Arch install", "description": "Found an interesting rust lib in a still chrooted fresh Arch install - Whether it's relevant is still to be determined. Still having issues with OTX not wanting to take actual files. Will wring this out a little more and repost with file hashes", "modified": "2024-04-08T15:35:03.223000", "created": "2024-04-08T15:35:03.223000", "tags": [ "poetratpython", "enum", "struct", "tuple", "cstylevariant", "tuplevariant", "structvariant", "empty", "singletonenum", "regularenum", "compressedenum", "rust", "sbvalue", "rusttype", "backcompat", "init", "valobj", "true class", "nonnull", "rawvec", "value", "unique", "sbvalue start", "logger", "rust type", "vecdeque", "btreeset", "btreemap", "hashmap", "hashset", "cell", "refmut", "refcell", "zerofield", "index", "discriminant", "firstfield", "valueprinter", "enumprovider", "wtf8buf", "file", "e402 import", "usrbinxwayland", "usrbincargo", "usrbingawk", "usrbinnvme", "usrbinqmake", "usrbinsqlite3", "usrbinusermod", "usrbinzsh", "usrlibxorg", "usrlib64xorg", "helper", "printbyrusttype", "call", "stdrefprovider", "false return", "true", "issuspicious", "bignumbers1", "bignumbers3", "sha1constants", "md5constants", "bignumbers0", "crc32table", "base64table", "bignumbers4", "rooter", "javadropper", "warp" ], "references": [ "rter", "rkit", "PoetRat_python", "rust_types.py", "silent_banker", "lldb_lookup.py", "lldb_providers.py", "lldb_commands", "gdm3-config-err-UQm6Ec", "gdb_providers.py", "gdb_load_rust_pretty_printers.py", "ldpreld", "gdb_lookup.py", "pre-f-boot.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 178, "FileHash-SHA1": 2, "hostname": 43 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "782 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707f8475d8a8785dfc5a2f", "name": "Zetalytics API", "description": "", "modified": "2023-12-06T14:04:52.250000", "created": "2023-12-06T14:04:52.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 754, "hostname": 833, "domain": 441, "URL": 2375, "CIDR": 5, "FileHash-MD5": 2, "email": 1 }, "indicator_count": 4411, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621bc3aa050a6c5693595f25", "name": "Zetalytics API", "description": "", "modified": "2022-03-29T00:03:34.773000", "created": "2022-02-27T18:32:10.542000", "tags": [ "google", "google llc", "detected", "expand overall", "http", "amazonaes", "openssl", "lookup go", "rescan add", "verdict report", "behaviour", "june", "apache", "search url", "search domain", "scan url", "url search", "domain scan", "url url", "us summary", "line", "google maps", "api warning", "redirects links", "similar dom", "content api", "domains", "Ransomware" ], "references": [ "zetalytics .pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "display_name": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "target": null }, { "id": "Trojan:Win32/Danabot.G", "display_name": "Trojan:Win32/Danabot.G", "target": "/malware/Trojan:Win32/Danabot.G" }, { "id": "Backdoor:Win32/Poison.E", "display_name": "Backdoor:Win32/Poison.E", "target": "/malware/Backdoor:Win32/Poison.E" }, { "id": "ALF:PUA:Block:IObit.R!MTB", "display_name": "ALF:PUA:Block:IObit.R!MTB", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 754, "URL": 2375, "domain": 441, "hostname": 833, "CIDR": 5, "FileHash-MD5": 2, "email": 1 }, "indicator_count": 4411, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1524 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "broadcast-db2-discover.nse", "ip-geolocation-map-kml.nse", "http-dombased-xss.nse", "asn-query.nse", "hbase-master-info.nse", "snmp-win32-users.nse", "couchdb-databases.nse", "metasploit-xmlrpc-brute.nse", "http-enum.nse", "makedefs.out", "autofs.conf", "http-dlink-backdoor.nse", "hostmap-crtsh.nse", "smtp-commands.nse", "ncp-enum-users.nse", "dns-service-discovery.nse", "smtp-strangeport.nse", "broadcast-eigrp-discovery.nse", "dns-zone-transfer.nse", "openvas-otp-brute.nse", "http-stored-xss.nse", "knx-gateway-info.nse", "ms-sql-dac.nse", "socks-brute.nse", "LocalAuthentication.tbd", "reverse-index.nse", "http-vmware-path-vuln.nse", "drda-info.nse", "ipmi-brute.nse", "usbDevices.csv", "uptime-agent-info.nse", "ssl-date.nse", "smb2-time.nse", "riak-http-info.nse", "http-default-accounts.nse", "certificates.csv", "smb-vuln-conficker.nse", "pf.os", "targets-ipv6-multicast-slaac.nse", "oracle-enum-users.nse", "find.codes", "csh.login", "maxdb-info.nse", "skypev2-version.nse", "nbd-info.nse", "http-csrf.nse", "smb-server-stats.nse", "snmp-win32-services.nse", "Admin.tbd", "CodeResources", "module.modulemap", "snmp-info.nse", "afp-brute.nse", "protocols", "dns-srv-enum.nse", "http-vuln-cve2017-1001000.nse", "interfaceDetails.csv", "smb-os-discovery.nse", "http-slowloris-check.nse", "http-apache-server-status.nse", "dbixs_rev.h", "lexmark-config.nse", "http-vuln-cve2011-3192.nse", "mqtt-subscribe.nse", "ftp-bounce.nse", "smb-mbenum.nse", "ajp-auth.nse", "http-coldfusion-subzero.nse", "http-open-redirect.nse", "rtsp-url-brute.nse", "lldb_providers.py", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "http-wordpress-enum.nse", "broadcast-wpad-discover.nse", "http-referer-checker.nse", "cccam-version.nse", "broadcast-jenkins-discover.nse", "cvs-brute.nse", "lltd-discovery.nse", "MCPeerID.h", "jdwp-inject.nse", "http-date.nse", "http-sitemap-generator.nse", "http-apache-negotiation.nse", "http-server-header.nse", "http-affiliate-id.nse", "launchdaemons.txt", "versant-info.nse", "smtp-open-relay.nse", "http-vuln-cve2006-3392.nse", "group", "ip-geolocation-map-google.nse", "http-vhosts.nse", "rdp-enum-encryption.nse", "bittorrent-discovery.nse", "pjl-ready-message.nse", "MultipeerConnectivity.apinotes", "http-aspnet-debug.nse", "amqp-info.nse", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "interfaceAddrs.csv", "nbstat.nse", "fingerprint-strings.nse", "http-cors.nse", "http-waf-fingerprint.nse", "netbus-info.nse", "nbns-interfaces.nse", "sstp-discover.nse", "clamav-exec.nse", "BUILDING", "xmpp-info.nse", "http-virustotal.nse", "weblogic-t3-info.nse", "qscan.nse", "bjnp-discover.nse", "csh.cshrc", "http-drupal-enum-users.nse", "openflow-info.nse", "DBIXS.h", "http-vuln-misfortune-cookie.nse", "mounts.txt", "http-jsonp-detection.nse", "http-bigip-cookie.nse", "csh.logout", "http-icloud-sendmsg.nse", "http-put.nse", "script.db", "rusers.nse", "master.cf", "ms-sql-brute.nse", "hbase-region-info.nse", "rmi-dumpregistry.nse", "com.apple.screensharing.agent.launchd", "svn-brute.nse", "rust_types.py", "hadoop-tasktracker-info.nse", "omron-info.nse", "http-iis-webdav-vuln.nse", "citrix-enum-servers.nse", "pop3-brute.nse", "ipmi-version.nse", "broadcast-ms-sql-discover.nse", "ventrilo-info.nse", "imap-capabilities.nse", "http-vuln-cve2014-2126.nse", "firewalk.nse", "nfs-showmount.nse", "snmp-hh3c-logins.nse", "iax2-brute.nse", "kernel.csv", "ms-sql-config.nse", "smtp-vuln-cve2010-4344.nse", "sshv1.nse", "smtp-enum-users.nse", "man.conf", "ftp-vuln-cve2010-4221.nse", "dpap-brute.nse", "smb-vuln-cve2009-3103.nse", "cics-user-brute.nse", "citrix-brute-xml.nse", "dbd_xsh.h", "murmur-version.nse", "smb-vuln-webexec.nse", "broadcast-wake-on-lan.nse", "smb-ls.nse", "smtp-ntlm-info.nse", "http-trace.nse", "http-vuln-cve2011-3368.nse", "bashrc_Apple_Terminal", "ssh-run.nse", "netbus-version.nse", "http-vuln-cve2014-2129.nse", "launchagents.txt", "http-git.nse", "citrix-enum-apps-xml.nse", "vnc-title.nse", "upnp-info.nse", "sip-brute.nse", "ajp-methods.nse", "dns-blacklist.nse", "citrix-enum-apps.nse", "http-vuln-cve2010-0738.nse", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N", "ldpreld", "https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/", "path-mtu.nse", "oracle-sid-brute.nse", "http-barracuda-dir-traversal.nse", "address-info.nse", "afp-showmount.nse", "dns-client-subnet-scan.nse", "rsa-vuln-roca.nse", "qconn-exec.nse", "dns-nsec-enum.nse", "newsyslog.conf", "broadcast-dhcp6-discover.nse", "TLS_LICENSE", "tftp-enum.nse", "zetalytics .pdf", "main.cf.default", "vuze-dht-info.nse", "hook_op_check.h", "MCNearbyServiceAdvertiser.h", "lldb_lookup.py", "memcached-info.nse", "http-headers.nse", "battery.csv", "cics-enum.nse", "networks", "broadcast-tellstick-discover.nse", "ipv6-ra-flood.nse", "telnet-brute.nse", "broadcast-avahi-dos.nse", "ovs-agent-version.nse", "profile", "dns-ip6-arpa-scan.nse", "gettytab", "http-sql-injection.nse", "http-cisco-anyconnect.nse", "lldb_commands", "lu-enum.nse", "snmp-win32-software.nse", "drda-brute.nse", "broadcast-dhcp-discover.nse", "redis-brute.nse", "allseeingeye-info.nse", "dbi_sql.h", "dns-brute.nse", "backorifice-brute.nse", "smb-webexec-exploit.nse", "broadcast-netbios-master-browser.nse", "mysql-empty-password.nse", "tn3270-screen.nse", "http-phpmyadmin-dir-traversal.nse", "ssh-auth-methods.nse", "nessus-brute.nse", "ntp-info.nse", "knx-gateway-discover.nse", "xmpp-brute.nse", "http-vuln-wnr1000-creds.nse", "stun-info.nse", "http-fetch.nse", "broadcast-listener.nse", "caching.html", "rmtab", "arm64e-apple-ios-macabi.swiftinterface", "broadcast-sybase-asa-discover.nse", "MCAdvertiserAssistant.h", "http-vuln-cve2017-5638.nse", "http-vuln-cve2014-2127.nse", "APConfigurationSystem.tbd", "snmp-brute.nse", "broadcast-rip-discover.nse", "afp-serverinfo.nse", "metasploit-info.nse", "lber.h", "redis-info.nse", "http-config-backup.nse", "ldap-search.nse", "broadcast-pim-discovery.nse", "smb-double-pulsar-backdoor.nse", "nje-node-brute.nse", "broadcast-versant-locate.nse", "auto_home", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F", "paths", "hostmap-bfk.nse", "whois-domain.nse", "targets-ipv6-map4to6.nse", "http-majordomo2-dir-traversal.nse", "broadcast-pc-anywhere.nse", "http-method-tamper.nse", "http-svn-enum.nse", "tls-alpn.nse", "vmware-version.nse", "s7-info.nse", "http-generator.nse", "telnet-encryption.nse", "smb2-capabilities.nse", "smb-enum-shares.nse", "unusual-port.nse", "http-devframework.nse", "ssh-hostkey.nse", "jdwp-info.nse", "http-hp-ilo-info.nse", "freelancer-info.nse", "nrpe-enum.nse", "AppleFirmwareUpdate.tbd", "http-chrono.nse", "http-form-brute.nse", "mysql-brute.nse", "configuring.html", "http-unsafe-output-escaping.nse", "nfs-statfs.nse", "traceroute-geolocation.nse", "http-fileupload-exploiter.nse", "http-cross-domain-policy.nse", "http-awstatstotals-exec.nse", "dhcp-discover.nse", "mcafee-epo-agent.nse", "http-waf-detect.nse", "http-brute.nse", "rc.netboot", "http-avaya-ipoffice-users.nse", "dicom-brute.nse", "kexts.txt", "main.cf", "http-auth-finder.nse", "nfs-ls.nse", "x11-access.nse", "silent_banker", "backorifice-info.nse", "convenience.map", "ip-forwarding.nse", "MCNearbyServiceBrowser.h", "ldap-novell-getpass.nse", "rpcap-brute.nse", "quake3-master-getservers.nse", "dns-random-txid.nse", "smtp-vuln-cve2011-1764.nse", "custom_header_checks", "mrinfo.nse", "mounts.csv", "master.cf.proto", "nje-pass-brute.nse", "sip-enum-users.nse", "http-traceroute.nse", "ldap.h", "bitcoin-getaddr.nse", "rexec-brute.nse", "zshrc_Apple_Terminal", "broadcast-dropbox-listener.nse", "gdb_load_rust_pretty_printers.py", "http-mobileversion-checker.nse", "smb-vuln-regsvc-dos.nse", "generic", "irc-sasl-brute.nse", "stun-version.nse", "relocated", "https://www.verizon.com/business/", "sipConfig.csv", "auto_master", "ms-sql-query.nse", "mysql-variables.nse", "cvs-brute-repository.nse", "notify.conf", "AirPlayReceiver.tbd", "http-vuln-cve2017-5689.nse", "ssl-dh-params.nse", "http-svn-info.nse", "http-rfi-spider.nse", "broadcast-hid-discoveryd.nse", "gpsd-info.nse", "rtadvd.conf", "eppc-enum-processes.nse", "unittest.nse", "shodan-api.nse", "broadcast-pppoe-discover.nse", "broadcast-ripng-discover.nse", "content-negotiation.html", "openlookup-info.nse", "ipv6-node-info.nse", "smb-enum-processes.nse", "bashrc", "http-joomla-brute.nse", "broadcast-dns-service-discovery.nse", "Info.plist", "http-qnap-nas-info.nse", "http-form-fuzzer.nse", "domino-enum-users.nse", "jdwp-version.nse", "smb-vuln-ms10-061.nse", "snmp-processes.nse", "http-passwd.nse", "http-axis2-dir-traversal.nse", "daap-get-library.nse", "distcc-cve2004-2687.nse", "iec-identify.nse", "banner.nse", "sniffer-detect.nse", "afp-path-vuln.nse", "snmp-interfaces.nse", "rmi-vuln-classloader.nse", "hadoop-secondary-namenode-info.nse", "command_args.json", "http-methods.nse", "smb-psexec.nse", "ipidseq.nse", "voldemort-info.nse", "http-ls.nse", "iscsi-brute.nse", "dns-update.nse", "dict-info.nse", "gdb_lookup.py", "http-feed.nse", "rkit", "dns-nsec3-enum.nse", "http-mcmp.nse", "vtam-enum.nse", "crashes.csv", "gkrellm-info.nse", "header_checks", "duplicates.nse", "broadcast-pc-duo.nse", "icap-info.nse", "smb-vuln-ms08-067.nse", "informix-tables.nse", "cics-info.nse", "smb-protocols.nse", "ssh-brute.nse", "stuxnet-detect.nse", "ndmp-version.nse", "irc-info.nse", "http-trane-info.nse", "https://seclists.org/nmap-dev/2011/q4/420", "domcon-brute.nse", "snmp-ios-config.nse", "ntp.conf", "ftpusers", "rsync-brute.nse", "ip-geolocation-ipinfodb.nse", "systemInfo.csv", "access", "xmlrpc-methods.nse", "disk_structure.txt", "targets-ipv6-multicast-echo.nse", "jdwp-exec.nse", "domcon-cmd.nse", "hadoop-jobtracker-info.nse", "ftp-syst.nse", "gdm3-config-err-UQm6Ec", "MultipeerConnectivity.h", "ssl-poodle.nse", "broadcast-upnp-info.nse", "rter", "http-vuln-cve2010-2861.nse", "etcHosts.csv", "dns-cache-snoop.nse", "bounce.cf.default", "afp-ls.nse", "rsync-list-modules.nse", "ipv6-multicast-mld-list.nse", "ms-sql-hasdbaccess.nse", "http-open-proxy.nse", "smb-enum-domains.nse", "AOSKit.tbd", "nping-brute.nse", "chromeExtensions.csv", "mysql-users.nse", "http-wordpress-brute.nse", "http-domino-enum-passwords.nse", "MultipeerConnectivity.tbd", "pop3-ntlm-info.nse", "smb2-security-mode.nse", "http-huawei-hg5xx-vuln.nse", "hostmap-robtex.nse", "ssl-cert-intaddr.nse", "http-webdav-scan.nse", "ntp_opendirectory.conf", "managedPolicies.csv", "dns-zeustracker.nse", "zshrc", "http-grep.nse", "http-google-malware.nse", "dns-random-srcport.nse", "ms-sql-xp-cmdshell.nse", "http-xssed.nse", "nexpose-brute.nse", "firewall-bypass.nse", "smb-vuln-ms07-029.nse", "ms-sql-info.nse", "master.cf.default", "ssl-enum-ciphers.nse", "http-vuln-cve2015-1635.nse", "http-gitweb-projects-enum.nse", "cics-user-enum.nse", "mtrace.nse", "mysql-info.nse", "isns-info.nse", "sharedFolders.csv", "targets-xml.nse", "smb-vuln-cve-2017-7494.nse", "wsdd-discover.nse", "smb-vuln-ms06-025.nse", "irc-unrealircd-backdoor.nse", "http-robtex-shared-ns.nse", "http-exif-spider.nse", "ms-sql-tables.nse", "ssh-publickey-acceptance.nse", "http-vuln-cve2013-0156.nse", "http-malware-host.nse", "https://viz.greynoise.io/analysis/001f6d4e-555b-49d3-a714-e71deea739d0", "telnet-ntlm-info.nse", "ms-sql-empty-password.nse", "http-cakephp-version.nse", "sip-methods.nse", "ssh2-enum-algos.nse", "krb5-enum-users.nse", "iscsi-info.nse", "smb.conf", "mmouse-brute.nse", "socks-open-proxy.nse", "passwd", "cups-info.nse", "http-slowloris.nse", "targets-ipv6-multicast-invalid-dst.nse", "ftp-vsftpd-backdoor.nse", "mysql-vuln-cve2012-2122.nse", "sudo_lecture", "user_launchagents.txt", "mongodb-info.nse", "oracle-brute-stealth.nse", "diskEncryption.csv", "http-vuln-cve2009-3960.nse", "pgsql-brute.nse", "rtsp-methods.nse", "wdb-version.nse", "ldap-rootdse.nse", "servicetags.nse", "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters.", "cassandra-brute.nse", "smb2-vuln-uptime.nse", "rpcinfo.nse", "imap-ntlm-info.nse", "smtp-vuln-cve2011-1720.nse", "informix-brute.nse", "oracle-brute.nse", "modbus-discover.nse", "x86_64-apple-macos.swiftinterface", "http-vlcstreamer-ls.nse", "socks-auth-info.nse", "http-sap-netweaver-leak.nse", "mysql-databases.nse", "PoetRat_python", "targets-ipv6-multicast-mld.nse", "http-comments-displayer.nse", "fcrdns.nse", "daytime.nse", "couchdb-stats.nse", "http-useragent-tester.nse", "http-cookie-flags.nse", "Driver_xst.h", "openwebnet-discovery.nse", "pop3-capabilities.nse", "http-title.nse", "netbus-auth-bypass.nse", "ip-geolocation-geoplugin.nse", "http-iis-short-name-brute.nse", "pre-f-boot.txt", "shells", "http-wordpress-users.nse", "broadcast-xdmcp-discover.nse", "vulners.nse", "dns-recursion.nse", "smb-flood.nse", "ftp-brute.nse", "eap-info.nse", "msrpc-enum.nse", "smb-enum-groups.nse", "http-internal-ip-disclosure.nse", "sip-call-spoof.nse", "realvnc-auth-bypass.nse", "auth-spoof.nse", "applications.csv", "smb-vuln-ms17-010.nse", "enip-info.nse", "postfix-files", "samba-vuln-cve-2012-1182.nse", "ip-geolocation-map-bing.nse", "db2-das-info.nse", "nfs.conf", "broadcast-ospf2-discover.nse", "pcworx-info.nse", "deluge-rpc-brute.nse", "rdp-vuln-ms12-020.nse", "irbrc", "tso-enum.nse", "http-security-headers.nse", "asl.conf", "hnap-info.nse", "giop-info.nse", "ftp-proftpd-backdoor.nse", "bind.html", "mongodb-databases.nse", "omp2-brute.nse", "MCBrowserViewController.h", "quake3-info.nse", "tls-nextprotoneg.nse", "xdmcp-discover.nse", "tls-ticketbleed.nse", "xtab", "http-robtex-reverse-ip.nse", "http-frontpage-login.nse", "smb-brute.nse", "http-errors.nse", "http-vuln-cve2015-1427.nse", "creds-summary.nse", "docker-version.nse", "http-drupal-enum.nse", "rc.common", "mmouse-exec.nse", "process_list.txt", "ms-sql-ntlm-info.nse", "http-vuln-cve2012-1823.nse", "puppet-naivesigning.nse", "ndmp-fs-info.nse", "dicom-ping.nse", "syslog.conf", "http-vuln-cve2017-8917.nse", "clock-skew.nse", "acarsd-info.nse", "cups-queue-info.nse", "informix-query.nse", "x86_64-apple-ios-macabi.swiftinterface", "rpcap-info.nse", "p2p-conficker.nse", "mysql-enum.nse", "ssl-known-key.nse", "rpc-grind.nse", "omp2-enum-targets.nse", "launchD.csv", "https-redirect.nse", "targets-traceroute.nse", "sslv2-drown.nse", "port-states.nse", "http-robots.txt.nse", "ftp-anon.nse", "irc-brute.nse", "custom-error.html", "flume-master-info.nse", "mail.rc", "ldap-brute.nse", "transport", "citrix-enum-servers-xml.nse", "http-litespeed-sourcecode-download.nse", "dns-check-zone.nse", "vnc-info.nse", "ajp-brute.nse", "ssl-heartbleed.nse", "bitcoin-info.nse", "rfc868-time.nse", "cassandra-info.nse", "bitcoinrpc-info.nse", "bacnet-info.nse", "afpovertcp.cfg", "snmp-win32-shares.nse", "sharingPreferences.csv", "snmp-netstat.nse", "zprofile", "supermicro-ipmi-conf.nse", "apfs_boot_mount.tbd", "hadoop-namenode-info.nse", "smb-vuln-ms10-054.nse", "nntp-ntlm-info.nse", "ipmi-cipher-zero.nse", "coap-resources.nse", "vnc-brute.nse", "locate.rc", "teamspeak2-version.nse", "mysql-query.nse", "version.plist", "broadcast-novell-locate.nse", "ajp-request.nse", "iax2-version.nse", "manpaths", "security_status.txt", "url-snarf.nse", "smb-enum-sessions.nse", "vmauthd-brute.nse", "targets-asn.nse", "users.csv", "smb-enum-users.nse", "mysql-dump-hashes.nse", "broadcast-bjnp-discover.nse", "http-auth.nse", "dns-fuzz.nse", "broadcast-wsdd-discover.nse", "arm64e-apple-macos.swiftinterface", "http-shellshock.nse", "netbus-brute.nse", "http-ntlm-info.nse", "http-vuln-cve2013-7091.nse", "preboot_archive_errors.log", "ip-geolocation-maxmind.nse", "rdp-ntlm-info.nse", "epmd-info.nse", "sslv2.nse", "ajp-headers.nse", "dns-nsid.nse", "LDAP.tbd", "membase-http-info.nse", "ip-https-discover.nse", "oracle-tns-version.nse", "mongodb-brute.nse", "http-tplink-dir-traversal.nse", "index.html.en", "hddtemp-info.nse", "aliases", "ssl-ccs-injection.nse", "pf.conf", "http-proxy-brute.nse", "ssl-cert.nse", "MCError.h", "impress-remote-discover.nse", "smtp-brute.nse", "http-backup-finder.nse", "fox-info.nse", "gopher-ls.nse", "virtual", "membase-brute.nse", "scripts", "nessus-xmlrpc-brute.nse", "snmp-sysdescr.nse", "smb-print-text.nse", "targets-ipv6-wordlist.nse", "smb-system-info.nse", "finger.nse", "kern_loader.conf", "mysql-audit.nse", "ike-version.nse", "ms-sql-dump-hashes.nse", "http-icloud-findmyiphone.nse", "targets-sniffer.nse", "LICENSE", "http-vuln-cve2014-2128.nse", "broadcast-sonicwall-discover.nse", "ncp-serverinfo.nse", "nat-pmp-info.nse", "whois-ip.nse", "http-adobe-coldfusion-apsa1301.nse", "sudoers", "http-phpself-xss.nse", "MCSession.h", "ganglia-info.nse", "gdb_providers.py", "http-vuln-cve2014-8877.nse", "hadoop-datanode-info.nse", "tso-brute.nse", "smb-enum-services.nse", "nat-pmp-mapport.nse", "broadcast-ping.nse", "irc-botnet-channels.nse", "http-vuln-cve2014-3704.nse", "smb-security-mode.nse", "systemControls.csv", "broadcast-ataoe-discover.nse", "dbivport.h", "ubiquiti-discovery.nse", "rpc", "broadcast-networker-discover.nse", "http-favicon.nse", "metasploit-msgrpc-brute.nse", "resolv.conf", "ftp-libopie.nse", "http-userdir-enum.nse", "canonical", "pcanywhere-brute.nse", "auth-owners.nse", "ttys", "main.cf.proto", "rlogin-brute.nse", "pptp-version.nse", "http-vuln-cve2013-6786.nse", "imap-brute.nse", "mikrotik-routeros-brute.nse" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Finance" ] }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Win.virus.polyransom-5704625-0", "Wipes", "Trojan:win32/danabot.g", "Alf:pua:block:iobit.r!mtb", "Lastname", "Win32:cryptor", "Firstname", "Telper:cert:softwarebundler:win32/bunpredelt", "Backdoor:win32/poison.e" ], "industries": [ "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "68c1a962edea5cd8c728d65c", "name": "AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks", "description": "AdaptixC2, an open-source post-exploitation and adversarial emulation framework, has been observed being used in real-world attacks. This versatile tool allows threat actors to execute commands, transfer files, and perform data exfiltration on compromised systems. Its open-source nature enables easy customization, making it highly flexible and dangerous. The framework supports sophisticated tunneling capabilities, modular design with extenders, and various beacon agent formats. Two infection scenarios were analyzed: one using social engineering via Microsoft Teams, and another likely involving AI-generated scripts. The increasing prevalence of AdaptixC2 in attacks, including its use alongside ransomware, highlights the growing trend of attackers leveraging customizable frameworks to evade detection.", "modified": "2025-09-10T19:40:56.835000", "created": "2025-09-10T16:37:54.837000", "tags": [ "data exfiltration", "c2 framework", "open-source", "adaptixc2", "tunneling", "ai-generated scripts", "foggyweb", "social engineering", "adversarial emulation", "post-exploitation" ], "references": [ "https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 7, "YARA": 3, "domain": 19, "hostname": 1 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386536, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb254f17eb4a2a990f07e5", "name": "LevelBlue - Open Threat Exchange", "description": "[ As part of security research, we look at some of the most well-known vulnerabilities in the PDF ecosystem, and how they can be identified and mitigated, with the help of a simple hash.] [64xxxx]", "modified": "2026-05-28T07:10:11.800000", "created": "2026-04-24T08:09:51.488000", "tags": [ "pdfkit", "cve202225765", "exploit script", "github", "unicordev", "cves", "xml external", "entity", "pdfs", "knowledge base", "python", "mozilla", "virustotal", "cisa", "apple", "microsoft", "pdfkit ruby", "remote code", "execution", "urls", "malware", "raid", "caddywiper", "wipes", "cve202543529", "webkit", "february", "cve202620643", "bypass", "march", "webkit bug", "command", "control", "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wipes", "display_name": "Wipes", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1084, "FileHash-SHA1": 874, "FileHash-SHA256": 3052, "CVE": 36, "domain": 437, "hostname": 1086, "URL": 1411, "CIDR": 15, "email": 13 }, "indicator_count": 8008, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "self.data", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "self.data", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780236217.7418864 }